As a company, you are responsible for protecting your customer’s credit card information after they shop with you. If you fail, your reputation will take a hit, and people will just be scared to purchase from your brand.
Could you blame them?
You wouldn’t want your credit card data to get leaked, either. Sadly, the chances of that happening are pretty high.
2021 has already seen 17% more data compromises than 2020, and the year is not over yet at the time of writing this.
This article will go through some tips on proper handling and storing of your customer’s credit card information so you can protect it. Doing that will help you adhere to business security standards and avoid cyber attacks.
Jump to section:
Understand PCI Standards
Don’t Store Card’s Track Data
Encrypt the Electronic Data You Store
Use Approved Software and Equipment
Use Reputable Service Providers Only
Take Extra Caution With Recurring Billing
Keep Your Hardware and Software Updated
You can’t protect your client’s payment information without understanding the payment card industry’s (PCI) standards.
The standards were set to protect the final customer by setting guidelines companies simply have to follow.
Sadly, Verizon’s 2020 Payment Security Report showed that wasn’t the case. Less than a third (27.9%) of companies achieved 100% compliance in 2019, the lowest value since 2014.
This statistic shows that companies either don’t understand PCI standards or don’t care enough to implement them. Both of these options can be dangerous, especially for smaller businesses, since the fines for non-compliance are pretty costly.
If a company violates PCI standards, it will pay anywhere from $5,000 to $100,000 per month until it achieves compliance.
Of course, banking fines are not the only cost to cover in case of data breaches.
Moreover, many companies get sued after a breach, meaning they also have to spend money on lawsuits and different fees.
Now that we know just how dangerous it is to fail at PCI compliance, let’s learn more about it.
PCI standards are rules set by major payment card providers that protect the customer by forcing companies to keep the credit card information safe.
If these rules weren’t in place, any company you buy from could simply not invest in data security and let anyone access your card information, which would end badly for everyone involved.
You can find and study the official guidelines on the PCI Security Standard Council’s website.
- building and maintaining a secure network and systems
- protecting the cardholder’s personal information
- setting up and following a vulnerability management plan
- investing in solid measures for access control
- monitoring and testing networks regularly
- creating and updating an information security policy
These six steps are the crux of good payment information protection and are the least you can do to ensure the credit card data is safe and secure.
Any company that deals with payments and has access to customers’ credit card data must follow these standards.
Some businesses think PCI standards don’t apply to them because they don’t store customers’ credit card data. The truth is, these rules apply to everyone who accepts debit or credit card payments, regardless of whether they save the payment information.
One of the biggest mistakes when handling a client’s credit card information is saving the track data.
A credit card’s track data is the information stored on its back in the magnetic stripe that is read by the payment software and can include the cardholder name, account number (PAN), card security code (CSC), card identification (CID) number, and card verification value (CCV).
PCI standards state that you can only save credit card data you actually need to process a payment. Other information should be deleted from your system, including a card’s track data.
Other than the sensitive track information, you should never save the complete magnetic stripe data, PIN and PIN block numbers, nor the CCV. All of these can help hackers use the credit cards in question for purchases, money transfers, or withdrawals.
Because of this danger, the only company that can save this kind of information is the card issuer under specific conditions. You, as the vendor, don’t need this information, so there’s no need for you to hold onto it.
If you save such data and it ends up in the wrong hands, your client’s privacy will be threatened because of your mistake.
Sadly, despite it not being recommended, 5% of companies still end up saving credit card track data, according to Security Metrics.
Some of these companies may be saving track data unintentionally. They may not intend to hold onto this information, but they store it in the system without realizing it.
For example, error logs often contain credit card information, even though the payment has failed.
Your accounting, marketing, and customer service teams may also have access to customers’ private payment information.
If you want to ensure that you don’t have any unnecessary sensitive data stored in your system, start by checking these places first.
If you have to hold onto customer credit card information, make sure it’s not easily readable.
The easiest and most popular way of doing this is by encrypting the information, i.e., coding it in a way that makes it unreadable without an encryption key.
That way, you still have the data saved in the system and can access it when necessary, but you’re adding a layer of protection against cyber-attacks.
Even if a hacker or a third party comes into contact with your data, they won’t be able to read it, which makes encryption a great choice.
While this sounds logical, Security Metrics’ report states that 74% of companies still save unencrypted card data.
In other words, only one-fifth of companies are doing what they should to keep credit card data secure, which sadly doesn’t come as a shock.
According to Verizon’s payment security report, the state of PCI compliance in both Americas isn’t that great.
They found that the compliance percentage fell from 77.4% to 69.1% in 2019, which isn’t satisfactory.
In fact, it means that over 30% of companies fail to keep payment data secure, which is a cause for concern.
If you don’t want to be a part of this statistic, first understand what you are even allowed to save. PCI Security Standards Council states that you can hold onto:
- Primary Account Number (PAN)
- Cardholder name
- Expiration date
- Service code
Whenever you store this information, encrypt it. An algorithm can rearrange or code the data received when the customer sends you the payment data and keep it.
If someone without the proper key tries to access the information, they will see the encryption and won’t be able to read the code.
Once you get the gist of PCI standards and data saving rules, you can invest in software and equipment that’s PCI-approved. This means that an approved assessor has tested the software or application according to PCI standards and found it to be secure.
The catch is that it’s sometimes difficult to tell whether a product is PCI-tested and approved.
Also, unapproved software and apps are often a lot cheaper than those that guarantee protection, which can sway some business owners to buy them after all.
However, if you buy something that isn’t confirmed to be secure, be prepared for security holes and vulnerabilities, that may lead to data leaks, privacy breaches, and additional expenses.
In other words, you may skimp on the software, but it will end up costing you a lot more in the long run.
To be more precise, IBM found that the cost of an average data breach in 2021 has reached its highest point so far at $4.24 million.
When you’re unsure whether the software or an application you’re looking into is PCI-approved, use the official lists available for devices and applications on the PCI Security Standards Council’s website.
You can also check the software’s website to see how much they invest in audits and checks, as this will give you a general idea of their security.
The Payment Security Report found that the worst-performing essential requirement among US companies in 2019 was precisely testing systems and processes related to security.
If you go to our Security FAQ page, you’ll see that Regpack’s service provider is PCI-2 compliant while the payment information gets stored on a PCI-1 compliant server for maximum protection.
On top of that, the servers go through daily scans, weekly checks, and third-party monthly reviews to ensure maximum security.
When choosing excellent payment software for your organization, you should look for products that offer that kind of compliance and invest in regular scans and checks.
In case you don’t own and run a payment processing software company, you’ll have to find a service provider to do this work for you.
There’s nothing wrong with using external service providers to serve as a connection between you and your client’s credit card company. In fact, some of these providers might be a lot more PCI-compliant than your business.
The trick is finding reliable and secure service providers for the job.
Here are some things you can pay attention to when trying to find the right provider for your business:
The Provider’s Reputation
What better way to understand whether your chosen provider is trustworthy and gets the job done than to see what other customers have to say?
You want to see just how many people had negative experiences with the provider security-wise.
After all, 31% of customers would cut ties with a company that experienced a data breach, and 65% would lose their trust.
Technical Expertise and Capacity
Does the provider you’re looking into have the capacity to handle all the data traffic you will direct their way?
Just as importantly, you have to know whether they have the technical knowledge to perform these tasks.
As with any company that deals with payments, you must know whether your service provider passes all PCI standard checks.
In case they don’t, doing business with such a service provider will be very risky. After all, it’s your customers’ information they are dealing with, and your reputation could take a big hit in case of a data breach.
Finally, consider how much a reputable provider would cost. Some providers will charge you a monthly fee for using their services.
However, don’t forget about other expenses you may have to cover, such as the interchange fee or early termination fee. Before deciding on a company, try to calculate how much you’d have to pay for the credit card service each month to determine if it’s a good investment.
Offering recurring payments means you will have to store some credit card information, which is why you need to be extremely careful.
If recurring billing is not among your payment models, it may be worth your while to rethink this policy. Subscription services that use recurring billing saw a 437% growth in revenue in the last decade, as people now prefer to subscribe to services rather than own them.
Besides, businesses can benefit from charging their customers on a monthly or yearly basis to use the product or service instead of selling them the product and service and charging them once.
Customers benefit from recurring payment options too if they can pay in installments and break the big expense into several smaller payments.
Regpack, for example, offers many advanced options for recurring payments and auto-billing.
Around two-thirds (64%) of people feel a close relationship with brands that offer them subscriptions compared to those who provide one-time purchases. Now, this feeling of closeness and loyalty is something you, as a company, can capitalize on.
Studies show that customers are willing to spend twice as much money on companies they feel loyal to, which directly benefits all the businesses that offer subscriptions.
The point is, offering recurring billing options to your customers is definitely recommended if you want to continue growing within your market.
However, you have to be extremely careful with this mode of payment because it is based on saving the customer’s payment information and charging them regularly. Hence, the chances of an attack are high.
If you want to make the process easy on the customer, you will not ask for their payment data every month. Instead, you’ll save the necessary credit card information, encrypt it, and store it in a secure place.
You’ll also limit the number of people who have access to such data to prevent it from falling into the wrong hands.
Because of all these requirements, manually storing data using spreadsheets or similar programs leave you and your customers vulnerable to cyber attacks.
Instead, you should use PCI-compliant billing software that keeps this data secure while limiting the amount of manual work.
If you rely on technology to charge your customers, keep an eye out for updates.
Technology isn’t perfect. There can always be a weak point the IT team is working on to bring the best version of the product to date.
Once they fix an issue or debug the product, the company will usually ask users to update the software or hardware to have a safe experience.
When you fail to update your software, you’re not as protected as other users, which means hackers can easily use this weak link to get access to your personal information. If this happens to be credit card data, you’re in for a lot of trouble.
It’s precisely because of this risk that the PCI DSS Requirement 6 exists.
This PCI standard makes it obligatory for companies to update their software or hardware within a month of the update’s release.
Those who fail to do that are no longer PCI-compliant, which, as you know, is an issue that can cost you a lot more than just money.
Chances are, you’ll also use a firewall and antivirus software, both of which will need frequent updates.
With every system update, you’re protected even more, which means that it’s always in your best interest to update the software and hardware you own as soon as the update is available.
Handling credit card data is always risky, especially so if you do it on a large scale. Your one mistake could lead to tens of thousands of dollars worth of costs, a ruined reputation, and lost customers.
Since the stakes are high, you should get to know at least the basics of PCI standards, so you can ensure that your software and hardware, as well as processes, are PCI-compliant.
When you abide by these rules, you will find yourself using only approved software that you regularly update, using only trusted service providers, and saving only the credit card data you actually need.
You’ll also understand that the data you end up saving needs to be encrypted to stay secure, which is your primary goal when storing sensitive payment information.