6 Tips For Proper Handling Of Credit Card Information

By Author: sifip
Total Articles: 686
Comment this article

Customers entrust you with sensitive information such as credit card information. Data breaches continue to occur, but there are ways to ensure that you are doing everything possible to keep personal information secure. Here are six best practises for handling customer credit card information that your company can implement.

1. Understand your obligation to protect information
You are contractually obligated to protect your customers' credit card information if you have a merchant account for processing credit card transactions.
If you read the fine print of the contract you signed, it is likely that it states that your company must be "PCI Compliant." Safeguarding account information is an important part of PCI Compliance, including how you store the information as well as the equipment and service providers you use.
When you use third-party payment processing software or online payment gateway, the product should protect all of your customers' credit card information.

2. Use only approved equipment and software
Whether you use a terminal for POS transactions or a swiper connected to a ...
... computer or mobile phone running payment processing software, you must ensure that all of your hardware and software are PCI compliant. Unfortunately, not all of the equipment for sale is safe to use. Many applications and card readers have security flaws and vulnerabilities, making them less than ideal.
Inquire about EMV card readers. EMV card readers help to prevent fraud and are far more reliable than older magnetic swipe technology.
Reputable hardware and software vendors put their products through rigorous testing to ensure their quality. Use only tested and approved solutions to protect your customers and your business. The PCI DSS website contains lists of approved providers that can be searched by company name or product name:
Hardware: Approved PIN Transaction Security Devices
Software: Validated Payment Applications

3. Use only approved service providers
You can use a service provider to manage credit card processing and credit card account storage if you don't want to install and run credit card processing software yourself. Web-based SaaS (Software as a Service) providers, IVR phone services, and even companies to which you outsource all payment processing functions are examples of service providers.
These service providers are subjected to extensive testing by an external Qualified Security Assessor, who conducts a thorough audit of the company's policies, procedures, and systems. If the company passes the test, it is referred to as a "PCI DSS Validated Entity." As part of your PCI compliance, you are required to use only PCI DSS Validated service providers.

4. Never store electronic track data or the card security number
While you may have a legitimate business reason for storing credit card information, processing regulations expressly prohibit storing a card's security code or any "track data" contained in the magnetic strip on the back of a credit card.
The card security number, abbreviated as CVV, is the three-digit number on the back of Visa/MasterCard. It is intended to allow merchants to determine whether a customer authorising a transaction over the phone or through the Internet actually has the card. This method is only effective if the security code is never stored alongside the card number. This is made simple by electronic storage. You simply do not include a field for the security code. You must redact the security code after successfully processing the transaction and before storing a paper authorization form for paper storage.
The data stored in the magnetic strip on the back of the card contains account information that is not visible on the card. This information aids in transaction authorization and ensures that credit cards cannot be easily counterfeited. Card readers can be designed to display this data, and software can be designed to store it—all without your knowledge.
Never store security codes or track data on purpose. However, you must be careful not to store it inadvertently. Use only approved hardware and software to accomplish this.

5. Encrypt and secure electronic credit card account numbers and paper storage
There are times when you need to keep credit card numbers, such as proof of written authorizations for mail-order payments or recurring payment authorizations. When not in use, keep paper documents containing credit card numbers in a secure location (such as a safe).
Electronic storage of credit card numbers is also common if you process recurring or repeat transactions, for example. If you do this, you will be unable to store these files unencrypted. Ensure that any electronic storage is encrypted with a strong encryption algorithm. This provides some protection in the event of theft or unauthorised access.
Many service providers provide secure storage as a stand-alone service or as part of a payment processing package. These services typically issue you a "token" in exchange for a card number that they store. The token can be kept in any unsecured file. When you're ready to make a payment through the best online payment gateway, you send the token to the service provider, who retrieves the full card number for the sole purpose of processing the payment. If you go this route, use a PCI DSS Verified provider.

6. Encrypt phone recordings that contain credit card account numbers
Many businesses that take phone orders record calls in order to monitor service quality and keep track of payment authorizations. You are creating a database of credit card numbers (and often security code numbers) that is vulnerable to theft if you do this. If you store them digitally, you should encrypt them as soon as possible and keep them in a password-protected directory with limited access. Check the storage system for any software that enables text-to-speech conversion. It would expose those credit card numbers to anyone with access to the system.
Following these best practises will help you meet your requirements for protecting credit card account information and remaining PCI compliant. However, that is not the only reason to do it. Protecting your customers' credit card information demonstrates that you are looking out for their best interests, which is simply good business.