The Payment Card Industry Data Security Standards (PCI DSS) outline what are acceptable forms of processing, storing and transmitting your clients’ credit card information. It consists of common sense steps that mirror security best practices and are endorsed by all major credit and charge card payment brands including Visa, MasterCard, American Express, Diners Club and JCB
PCI DSS Requirements
The best practices to adopt are if you don’t need to keep the credit card information then don’t keep it. However, if you do need to keep your clients’ credit card information on file the PCI DSS restricts which card elements can and cannot be stored.
The following information cannot be stored after authorisation:
* Sensitive cardholder information i.e. full contents of track data from the magnetic stripe of the card.
* Card Verification Numbers (CVV2/CVC2/CID). These are the three digits on the back of the card or four digits on front of card for American Express.
It is important to remember that you can only store the customers’ account information that is necessary for your business and only with the cardholders’ knowledge and consent.
Cardholder information needs to be destroyed after its use. If you are using manual paper facilities it is imperative that you destroy all carbon copies of manual imprints in such a way that that the details are unreadable. The same must be done for sales vouchers that are printed via EFTPOS terminals. This is to make sure that any carbon copies and terminal sales vouchers cannot be retrieved from the rubbish which means that fraudsters may be able to use the data.
Further information on storing electronic data securely can be found by going to:
You can ensure that your business complies with the full PCI Standards by completing the SAQ which is available on the websites mentioned above.