No one said staying on top of PCI compliance was fun, but we can’t stress its importance enough. Exposing yourself to PCI compliance vulnerabilities is a sure way to get slapped with a business-crippling fine in case of a breach.
Depending on your PCI level, these fines can range from a few thousand dollars to $100k/month, and many businesses fail to recover from an experience like that.
Your decisions around storing credit card information are critical to your compliance and security apparatus. PCI compliance is about protecting your customers’ sensitive financial data, and there are few things more sensitive than a client’s credit card information.
Today, we’re going to discuss thirteen foolproof tips that will show you:
- How to store credit card information securely;
- How to communicate that effectively to your employees;
- The mechanisms you need in place to prevent breaches; and
- How to make PCI compliance easy.
Let’s dive in.
How to store credit card information
1. Understand basic PCI standards
PCI compliance is about proving that you are proactively protecting your customer’s data.
PCI DSS applies to any of your organizations or locations that accept transactions, and you need to have policies and strategies for storing and protecting that data for each location.
Because each business is unique, there is no exact list of items that you need to do in order to “attain” compliance. Compliance is as much the hardware and software you use as the practices you have in place to check up on it.
The security council in charge of PCI compliance does have a PCI compliance checklist for you to follow, but it’s more of a way to organize your efforts as opposed to an exact list of to-dos.
Official assessments are about analyzing security infrastructure from a technical standpoint and from an employee’s best practices or policy standpoint. You need to prove that you are working to protect the data you collect.
That being said, there are some basic things you need to check off, including:
- PCI-compliant hardware and software. Most merchant services providers build their products according to these standards.
- A secured server. This is usually handled by the software you use unless you have created your own custom solution.
- Consistent employee education. Specifically, around the dangers of data breaches.
2. Confirm you need to store credit card data
Storing online credit card data is most advantageous for businesses that deal with recurring billing or have active account users who purchase frequently.
If you don’t fall into that camp, however, there are few arguments for why you should store credit card data on your servers. If it isn’t providing a clear benefit to your customers and bottom line, get rid of it.
3. Never write card numbers down
Manually taking credit card numbers on paper and storing them is one of the biggest mistakes you or your employees can make. This information is private and should only be used for the duration of the transaction.
Do not, under any circumstances, store physical credit card information in your store or in places like Google Drive, Dropbox, etc.
4. Make sure all locations are compliant
Just because your headquarters or servers are PCI compliant doesn’t mean your storefronts are. You need to have a system in place that addresses each business location individually.
5. Tie up loose ends by building a system
The security council recommends building a system made up of three parts, as defined by the PCI Security Standards Council:
- Program: typically includes strategic objectives, roles and responsibilities, and a plan to achieve business objectives. For example, a vendor-management program defines the roles and strategy to properly procure, onboard, manage, and off-board third-party service providers.
- Policy: typically includes a statement of management intent or rules that must be followed – e.g. a password policy defining strong passwords and the frequency with which they must be changed.
- Procedures: typically outline the step-by-step tasks that responsible personnel must follow to properly complete tasks that align with the program and supporting policies – e.g. listing the steps needed to encrypt sensitive information before emailing it to a service provider.
Use this framework to organize your efforts. By creating them according to the PCI Council’s guidelines, you will be better prepared for any potential audits.
6. Don’t overlook phone security
If you take payments over the phone, make sure it’s via a secure line and those messages are stored in a secure vault. Do not use your local line or personal cellphone lines to accept orders without security.
7. Only collect credit card details through secure forms
Regular contact fields on forms from CRMs like ActiveCampaign or HubSpot are not secure and should never be used to collect sensitive information.
If you need to collect payment information, do so through an official payment gateway that is secure and built for that use. Everything sensitive should be encrypted with no exceptions!
8. Understand the risks of a PCI fine
PCI breaches are serious, with fines starting from $5k and ranging up to $100k+, to the termination of your merchant account by your acquiring bank, to increasing transaction fees as a penalty for the risk.
Because PCI compliance can hit both your wallet and your ability to continue accepting transactions, it is a double threat that deserves your consistent attention.
9. Take extra caution if you use recurring billing
Again, you should first determine if you even need to support recurring billing. If the value outweighs the risks, then we recommend using a secure vault.
A vault is a data storage mechanism that uses encrypted tokenization to transfer the necessary credit information between your payment system and the vault. It effectively removes those numbers from your possession and reduces the risk of breaches dramatically.
And keep in mind, if you need to store the data yourself, you will be raising the bar for your self-assessment and may need a security council member called a Qualified Security Assessor to perform an audit on your system.
10. Never store credit card details in your CRM
Similar to form fields, you should never have sensitive information stored in CRM profiles that isn’t encrypted.
Yes, tying payment information to collecting customer lifetime values is important, but you can do that without sacrificing your security.
Either find a system that puts that information in a secure vault or use separate software to link that information together when needed.
11. Routinely update hardware and software
80% of hacking attacks could be prevented by strengthening passwords and installing software patches.
Part of your PCI compliance procedures should be to ensure that your hardware and software are updated. Failing to update your POS system or smart terminals could open your business up to vulnerabilities. If a patch comes through, download it immediately.
The council also recommends that you:
- Identify which vendors send you patches and make sure you’re not missing their update notifications.
- Don’t ignore vulnerabilities in eCommerce gateways and processors. Since this is where the bulk of credit card information is collected online, you need to stay on top of updates for these components more than anywhere else.
12. Take extra caution when accessing systems remotely
The number one reason why merchants get hacked is through insecure remote access. It’s common for issues to occur when you’re out of the office or off location, but do whatever you can to reduce your reliance on remote access software products.
Many of these vendors use simple passwords for remote access, and that makes it easy for hackers to get access to your systems.
The security council recommends:
- Limiting remote access in general. Encourage your staff to pass along issues to employees on location instead of handling them at home.
- Use multi-factor authentication. Multi-factor authentication can take all sorts of forms. From a specific physical dongle to a smart card you can scan, there are a variety of sophisticated methods for protecting remote access.
- Require unique credentials for each user. Don’t share a master username and password with everyone in the office. If one person makes an error and leaks that information or stores it in an insecure place, your entire system could be compromised.
The easiest way to tackle PCI compliance
Work with a competent and modern merchant services provider.
Working with a merchant services company that prioritizes PCI compliance does not exclude you from your PCI DSS compliance duties, but it does dramatically cut down the effort it requires.
Take us, for example. We give each merchant we work with a PCI compliance dashboard. This dashboard reminds you what, when, and how to check to ensure that you are protected, and we even offer up to $100k in breach insurance for free.
Safeguard your business and customers with secure payment processing.