Best Practices For Keeping Card Numbers on File (Part 2)

Whether to process recurring payments, offer maximum payment flexibility to customers, or a combination thereof, it’s common for merchants to keep customers’ credit card numbers on file.

However, it’s also important to take steps to guard against negative consequences that can occur when doing so—namely, the risk of a data breach and subsequent stiff fines. Last month, we spotlighted two important best practices merchants should follow when maintaining customers’ credit card numbers and promised some more. Let’s explore a few of these.

Avoid storing card security numbers and electronic track data

Card security numbers go by many names—CW2, CID, and CSC, for starters. But whatever you call it, the card security number is the three-digit number that appears on the back of Visa, MasterCard, and Discover cards—usually in the top right-hand corner of the signature strip. For American Express cards, it’s the four-digit number found on the front, to the far right of the graphic. As for electronic track data, it’s additional information about Visa, MasterCard, Discover, and American Express accounts that aren’t displayed on the cards themselves.

Credit card processing rules prohibit merchants from storing both card security numbers and any track data contained in the magnetic strip of any card. But even if this were not the case, there are compelling reasons to avoid keeping such information on file together with credit card numbers. As most, if not all merchants are aware, card security numbers serve to confirm that a transaction is authorized by telephone or online is legitimate—in other words, that the cardholder is who he or she claims to be and actually has the card in his or her possession. In the (hopefully unlikely) event that a criminal gets ahold of a card number, he or she will, without the accompanying card security number, be unable to successfully use that card number for fraudulent purposes.

Similarly, electronic track data helps to legitimize transactions, as well as to prevent criminals from manufacturing counterfeit credit cards. Without this data, fraudulent transactions are far less likely to be processed and creating counterfeit credit cards becomes difficult, if not impossible, endeavor.

Protect credit card information collected by telephone

Many merchants that take telephone orders or accept payments by telephone using live agents or an interactive voice response record their calls and give customers who have never before done so the option to save their card number for subsequent transactions.  However, by storing calls digitally—as is the case with VoIP systems—merchants are creating a database that contains credit card numbers and card security numbers. Preventing the information in this database from theft or misuse necessitates encrypting it as soon as possible.

Storing the encrypted data in a password-protected directory and limiting access to the directory to those whose responsibilities warrant it, is also a must. So, too, is being sure to avoid integrating any conversion software with the system. Such integration would allow anyone accessing the database to easily get his or her hands on stored data derived from telephone calls, again putting it at risk of theft or misuse.

Look for more best practices for storing customers’ credit card data next month in another E-Complish blog post. To learn more about our payment services and products and/or schedule a consultation, click here.

In case you missed the beginning of the series, check it out…Best Practices For Keeping Card Numbers on File (Part 1)