The classic, and now obsolete, way that a small business might store customer credit card information would be to keep a document with the card in the client’s file. This might mean keeping paper in a filing cabinet or scanned documents in an electronic system.
Due to PCI-DSS requirements, and the availability of much safer methods of storing credit card info, this method is no longer a viable option for businesses of any size.
Any company processing, storing, or transmitting credit card numbers must be PCI DSS compliant. The Payment Card Industry (PCI) is a private industry group set up by the major credit card companies to define standards for companies that process credit card transactions. The Data Security Standard (DSS) was defined to prevent credit card fraud, hacking, and other security issues. Non-compliance risks losing the ability to process credit card payments. With so much focus on the PCI compliance, merchants need a process they can trust to help them gain, maintain, and verify their compliance.
The following are a few credit card processing myths:
Myth: I’m a small merchant who only takes a handful of cards, so I don’t need to be PCI compliant
Fact: This is a common misunderstanding. If you are a merchant and are set up to take credit cards by any mechanism for any sized business – then you need to be compliant.
Myth: PCI compliance only applies to E-commerce companies.
Fact: No, PCI applies to every company that stores, processes or, transmits cardholder information.
Myth: I can wait until my business grows.
Fact: Incorrect – the PCI standard applies to all sizes of business and waiting could be costly. Should you be compromised and not be PCI compliant, the fines and the compensation requirements by the banks could be substantial.
Myth: As a merchant, I’m entitled to store any data.
Fact: Many merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of government privacy legislation. PCI regulations forbid storing any of the following information:
- Unencrypted credit card number
- CVV or CVV2
- Pin blocks
- PIN numbers
Any of the above found in databases, log files, audit trails, backup’s etc. can result in serious consequences for the merchant, especially if a compromise has taken place.
Myth: Outsourcing card processing makes us compliant.
Fact: Outsourcing simplifies payment card processing but does not provide automatic compliance. Your business must protect cardholder data when you receive it, and process charge backs and refunds. You must also ensure that applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data.
Myth: PCI is unreasonable; it requires too much.
Fact: Most aspects of the PCI DSS are already part of most common best practices for security and in some cases can be used as a model to secure all sensitive information.
An example of a PCI compliant process is found in how the Connected Accounting and ERP software processes payments with BluePay. When a credit card is processed through Connected with its integration with BluePay, the card is never stored and/or never visible after the processing is completed. Information is transmitted securely to the BluePay server and either a successful authorization or failure is returned. As soon as the processing is executed the card number and security code are either removed or replaced with asterisks, so the actual data is never stored within Connected.
No matter how your business chooses to process credit cards, it is very important to ensure PCI compliance to avoid unfortunate consequences or breaches down the road.