As electronic payments become more prevalent in business today, there are lots of reasons why business owners may want to store their customers’ credit card numbers. Whether a large or small company, this practice is a bad one when done on the company’s own electronic or paper medium. In this article, I will get into why and how you can get the same results and capabilities, or better without the risk.
Some of the reasons that a merchant or company may store credit card numbers are as follows:
- The ability to charge their customers on a recurring basis.
- A convenience in the anticipation of future purchases from a customer or from upsells, so that the customer or merchant does not have to re-enter the number or re-swipe the card on each payment.
- Ease of multiple collections for contractual agreements.
In my opinion, taking responsibility for the security of credit card numbers stored on your own medium is a bad practice. In the last few years, we have seen where large companies like Home Depot and Target have credit card data stolen. One needs to ask these questions:
- If companies like these are hacked is my business safe?
- What is my liability, if my customer credit card data is stolen?
- Why take on the responsibility for sensitive data when you can pass that responsibility to your merchant provider’s payment platform?
No business is immune from being hacked. The best thing to do is not take on the risk of storing credit card data in-house. Generally, the keeper of the card numbers is the one who is going to be responsible when a breach occurs. The fines and audit expenses can be expensive for the responsible party.
Here are a couple of tools that a merchant services provider can provide to keep you from being responsible for holding credit card numbers:
- A virtual terminal platform – In this solution, the credit card numbers are stored on the merchant service provider’s payment platform and can be accessed through a secure login to run secure transactions.
- A secure payment form – Not all merchant service providers provide this, but this is a secure online payment form that runs on your merchant service provider’s server. Credit card numbers are electronically passed straight to your provider’s secure payment processing platform.
- Tokenization – Instead of storing credit card numbers on your E-Commerce website or accounting application, tokens are stored. These tokens are passcodes that can be used through your service provider’s secure platform to run transactions against the stored credit card numbers.
The good news is that businesses do not have to store credit card numbers. The safest thing is not to. If a breach were ever to occur, the best position for your business to be in is to be able to say, “we do not store credit card numbers”. Be sure to work with your merchant services provider to take advantage of security self-assessments to make sure your business meets industry standards to be PCI Compliant and lower your potential liability in a breach. These assessments generally include access to tools for network and server scans at a little monthly cost.
In closing, seek the advice from your merchant services provider. They will have the expertise to assist you in deploying best practices.