How to securely keep credit cards on file for your customers


Virtually no week goes by without news of yet another data breach in which sensitive customer credit card information was compromised. As a business owner and as the holder of an account with a credit card processing company, it is vital that you take steps to secure your patrons’ valuable information.

Pay attention to your hardware and software.

Check with your merchant services company to make sure that all of the equipment and programs you use, including any fixed terminal, tablet or mobile card reading software, is PCI compliant. Be sure your hardware is an approved PIN transaction security device and your software is validated.

Storage is a very bad idea.

Regulations from your processing company specifically forbid you from keeping a record of the security code or any of the “track data” that is contained on a credit card’s magnetic strip. On any paper authorization forms that you may keep for your records, you must cross out the 3- or 4-digit security or CVV code with a dark pen in order to make it unreadable. Having approved hardware and software also ensures that you have not inadvertently stored sensitive data.

Encrypt electronic storage and secure all paper records.

In certain situations such as for recurring or mail order business, you will want to keep hard copy or electronic records of transactions. Always lock away written data in a safe or other secure location, and use encryption for electronic information. If you are unsure of how to do this or do not have the necessary equipment, you can pay a PCI DSS-verified provider to perform the service for you.

Encrypt your phone recordings.

If you take orders over the phone and record those calls for quality control or order tracking purposes, you now have an ever-growing database of customer credit card information. As with electronic data, it needs to be encrypted. Store it in a password-protected directory to guard against theft or misuse. Also, be sure that no software is attached to your system that would allow a criminal to transfer valuable credit card information via text-to-speech technology.

Safeguarding your customers’ sensitive credit card information is more than just a requirement from your payment processing company; it is also one of the most proactive steps you can take to protect your customers as well as yourself. In short, it is simply good business on multiple levels.