More cases of compromised credit card information in recent data breaches are impacting the ever-increasing requirements of the proper handling of cardholder data.
It’s critical that a business examine what they do in terms of storing customer payment data to see if they can reduce the risk of card fraud.
The PCI DSS (also known as the Payment Card Industry Data Security Standard Council) was established to help dictate what businesses should do with this type of data to protect them and their customers.
The Dilemma with Cardholder Data Storage
Often, a business may store this customer data in order to provide a refund or offer a subscription billing service in which the cardholder allows for a monthly amount to be charged to their card. Without the ability to store this data, these types of transactions could become very time-consuming, inefficient, and irritating to the customer.
Yet, the PCI DSS has specific requirements related to how this customer payment data can and cannot be stored. This creates a challenge for a business owner in terms of how to address both needs.
However, there are some strategies that you can employ to handle this data properly while still being able to do transaction processes like recurring billing and refunds.
Defining Cardholder Data
It’s first important to designate the exact data being referred to in these situations. Cardholder data is any information that can be found on the payment card on the front or back, including what is in digital format embedded on the magnetic stripe found on the back of every card.
Other cards also have a chip embedded in the front of a card that also contains cardholder data. Information on the front of the card also includes the cardholder’s name, the card number (also known as the primary account number), and the expiration date while the back typically also has the CCV number.
The Do’s and Don’ts of Cardholder Data Storage
The basic rules of data storage are that a business can store the cardholder name, primary account number, expiration date and service card for the sole purposes of business needs like the possibility of a refund or subscription billing process.
Any information that is found on the chip or magnetic stripe can never be stored for any reason. This falls under PCI DSS Requirement 3 guidelines.
Essentially, these requirements are telling you that you should not store any cardholder data unless it’s necessary to your business and transactions. By not storing any of the aforementioned sensitive information you have already reduced the amount of data you store.
Other strategies include ensuring that you use access controls to minimize access by any unauthorized people for the data you decide to store.
No data should be stored in payment card terminals, laptops, smartphones, or computers. It’s also a good idea to not print out any personally identifiable payment card data at anytime, including with the purchase itself. If you must show the data for some reason (and there are very few legitimate reasons) the information should be truncated or masked in some way.
Best Practices for Cardholder Data Storage
PCI DSS also requires that you render the personal account number unreadable no matter where you store it, which includes logs, backup media, and digital media. If you do store the cardholder data on such devices, make sure they are maintained in a locked, access-controlled room.
You can use various technology solutions to ensure that these numbers are unreadable even during storage by using one-way hash functions that utilize strong cryptography so that the account number is turned into a unique cryptographic value.
You can also truncate the account number, keeping only the last four digits of the personal account number. Other technology employs index tokens and securely stored pads, which have an encryption algorithm that has sensitive text data that is combined with a random pad or key that only works once.
If you rely on third parties to process payments, make sure they also comply with PCI DSS and have established policies for access and password protection.
Always seek out a payments processing partner that has elevated their compliance level to the highest possible level to help protect you and your customers from fraud and theft.