Businesses of all types and sizes now keep consumers’ card numbers on file as a convenience for customers, clients, and patients—as well as to make the collection process easier for themselves. However, doing so can be risky unless best practices are implemented. We covered some of these in a blog post published in September, as well as in a second blog post that appeared in October. Now let’s look at the last two best practices for ensuring the safety of card numbers kept on file.
Insist on PA DSS- and PCI-compliant payment solutions.
Use only payment applications and solutions that have been developed in accordance with the Payment Application Data Security Standard (PA DSS) and validated as compliant with the Payment Card Industry Data Security Standard (PCI DSS). Just as a certain point of sale (POS) hardware offerings have security vulnerabilities that make them risky to use, so, too, do some payment solutions. Reputable solutions providers ensure that their payment offerings support PCI DSS compliance, in large part because they are compliant with the Payment Application Data Security Standard (PA-DSS).
The PA-DSS is maintained by the Payment Card Industry Security Standards Council, which maintains a list of validated applications that have been assessed for compliance and deemed compliant, with the PA-DSS. To determine whether they fit into the PA DSS-compliant category, applications are audited by a PA-DSS Qualified Security Assessor (QSA). Among many requirements for PA DSS compliance, solutions must not store card data on a server connected to the Internet, as well as have built-in provisions for protection of stored cardholder data.
Partner only with approved service providers.
Service providers can manage credit card processing and card number storage so businesses don’t have to; some even handle all payment processing functions. But in order to remain PCI-compliant, businesses that opt to engage a service provider must, however, choose one that is a “PCI DSS Validated Entity.”
What does this mean? Service providers must, in keeping with the PCI DSS, undergo extensive testing conducted by an external QSA. The QSA conducts an extensive, comprehensive audit of each service provider’s policies, procedures, and systems. Only if it passes muster is a service provider designated a “PCI DSS Validated Entity.”
E-Complish is a Level 1 PCI-compliant payment partner that provides payment solution technologies to companies across the globe. With E-Complish’s PCI-compliant solutions in place, businesses can be assured that customers’ stored credit card information remains safe. Learn about this—and more—by clicking here.
In case you missed the first two best practices in the series, see below: