Keep cardholder account numbers and personal information confidential. Cardholders expect you to safeguard any personal or financial information they may give you in the course of a transaction. Keeping that trust is essential to fraud reduction and good customer service. Cardholder account numbers and other personal information should be released only to your acquirer or processor, or as specifically required by law.
NOTE: Even though it is authorized by the credit card associations to store credit card numbers it is illegal to do so in several states.
Merchants and their credit card processing acquirers must ensure that Third Party Agents who are handling Visa account numbers are registered in accordance with the Payment Card Industry Data Security Standard (PCI DSS).
A merchant servicer (MS) is defined as a Third Party Agent that has a direct relationship with a merchant and is storing, processing or transmitting credit card account numbers on the merchants’ behalf.
This type of Third Party Agent performs services such as payment gateway, shopping cart, fraud scrubbing, loyalty programs, etc. Merchant acquirers are responsible for ensuring each MS maintains compliance with the Payment Card Industry (PCI) Data Security Standard (DSS), validates PCI DSS compliance with Visa, and is correctly registered. Merchants should work with their merchant account acquirers to ensure all Third Party Agent rules and requirements have been satisfied, ensuring the merchants compliance with Operating Regulations. Any Third Party Agent that is used by a merchant must be validated for PCI DSS compliance and listed on the validated service providers list.
All stored, processed or transmitted sensitive cardholder account or transaction information must comply with the PCI DSS and the Visa International Operating Regulations. To protect sensitive customer and transaction information from compromise merchants that store, process, or transmit cardholder account or transaction data must:
- Keep all material containing account numbers – whether on paper or
- electronically – in a secure area accessible to only selected personnel.
- Merchants with paper receipts should be extremely careful during the storage
- or transfer of this sensitive information. Merchants should at all times:
- Promptly provide the drafts to their acquirer.
- Destroy all copies of the drafts that are not delivered to the acquirer.
- Render cardholder data unreadable, both in storage and prior to discarding.
- Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization. Storage of track data elements in excess of name, personal account number (PAN), and expiration date after transaction authorization is strictly prohibited.
- Use payment applications that comply with the PCI Payment Application
- Data Security Standard (PA-DSS). A list of validated payment applications is
- available at www.pcissc.org.*
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.