Best Practices for Keeping Card Numbers on File

From the smallest retailers to Amazon and in seemingly every vertical market including education and government merchants are keeping consumers’ credit card numbers on file. In some instances, it’s for the purpose of processing recurring payments, while in others, it’s to provide consumers with additional flexible payment convenience options.

But regardless of why a merchant retains credit card numbers, caution in doing so is warranted. After all, consider the alternative exposure to the risk of a data breach and the financial and reputational damage that result. That’s where best practices come in. Here are three best practices for keeping card numbers on file; we’ll explore more in future blogs.

Get It in Writing

Signing an agreement with any customer whose credit card information it intends to keep on file is one of the best things merchants can do to safeguard their business against financial and other consequences related to the “card on file” option. With such a “terms of service” document in hand, it will be more difficult for a customer to complain, for example, that their credit card number was used for the wrong purpose or that a charge was processed unexpectedly.

When it comes to the content of such an agreement, specificity and detail are key. Include the reason why the customer’s card number is being kept on file, for example, to cover a recurring charge for school tuition payments or utilities, or to pay for certain merchandise or services. If the charge will be processed for the same amount each month, note that amount. Indicate when (on what date) and how the charge will be made each month. The more specific the agreement, the fewer the problems that will ensure no angry telephone calls about why a charge was so “high” or why a transaction was processed on x date when the cardholder expected it to happen on y date.

Make certain to include a proviso that states that customers are “opting in” to have their card number kept on file. This way, they will be unable to claim that the number was used to cover charges without their permission.

Use Forms Correctly

Failure to exercise care with electronic forms used to collect credit card information can lead to a variety of problems, including inadvertent exposure of sensitive data and the possibility of hackers getting their hands on it. For starters, under no circumstances should credit card information be collected in the “text” field of a form. Why not? As we’ve noted in previous blog posts, no matter what goods or services they sell, all merchants that accept credit and debit cards must comply with the Payment Card Industry Data Security Standard (PCI-DSS). Among other practices, the PCI-DSS stipulates the technical aspects of handling and managing credit card data and even an encrypted text field does not meet these stipulations.

Similarly, merchants should avoid storing credit card information in any “form builder” they use to gather such data. The same rings true for paper forms. Neither practice falls within the realm of PCI compliance. In short, there is nothing wrong with keeping customers’ credit card information on file providing it is done properly. Watch E-Complish’s blog posts for more best practices merchants can exercise to ensure a hassle-free  “card on file” experience, and schedule a consultation to learn more about our payment services and products.