Storing Credit Card Numbers
Keep credit card numbers and personal information confidential. Cardholders expect you to safeguard any personal or financial information they may give you in the course of a transaction. Keeping that trust is essential to fraud reduction and good customer service. Cardholder account numbers and other personal information should only release it to your acquirer or processor, or as required by law.
NOTE: Even though it is authorized by the credit card associations to store credit card numbers it is illegal to do so in several states.
Merchants and their credit card processing acquirers must ensure that Third Party Agents who are handling Visa account numbers are registered by the Payment Card Industry Data Security Standard (PCI DSS).
A Third Party Agent that has a direct relationship with a merchant and is storing, processing or transmitting credit card account numbers on the merchants’ behalf defines a merchant servicer (MS).
This type of Third Party Agent performs services such as payment gateway, shopping cart, fraud scrubbing, loyalty programs, etc. Merchant acquirers are responsible for ensuring each MS maintains compliance with the Payment Card Industry (PCI) Data Security Standard (DSS), validates PCI DSS compliance with Visa, and is correctly registered. Merchants should work with their merchant account acquirers to ensure all Third Party Agent rules and requirements have been satisfied, ensuring the merchant’s compliance with Operating Regulations. Any Third Party Agent that uses a merchant must confirm for PCI DSS compliance and listed on the validated service providers list.
All stored, processed or transmitted sensitive cardholder account or transaction information must follow the PCI DSS and the Visa International Operating Regulations. To protect sensitive customer and transaction information from compromise merchants that store, process, or send cardholder account or transaction data must:
-
Keep all material containing account numbers – whether on paper or
-
electronically – in a secure area accessible to only selected personnel.
-
Merchants with paper receipts should be extremely careful during the storage
-
or transfer of this sensitive information. Merchants should at all times:
-
Promptly provide the drafts to their acquirer.
-
Destroy all copies of the drafts that are not delivered to the acquirer.
-
Render cardholder data unreadable, both in storage and before discarding.
-
Never keep full-track, magnetic-stripe, CVV2*, and chip data after transaction authorization. After this it prohibits the storage of track data elements more than name, personal account number (PAN), and expiration date.
-
Use payment applications that follow the PCI Payment Application
-
Data Security Standard (PA-DSS). A list of validated payment applications is
-
available at www.pcissc.org.*
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream until it hits the merchant. Furthermore, the bank will also most likely either end your relationship or increase transaction fees. Penalties are not discussed nor publicized, but they can catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.