Safe Storage of Credit Card Information

The Payment Card Industry Data Security Standards (PCI DSS) outline what are acceptable forms of processing, storing and transmitting your clients’ credit card information. It consists of common sense steps that mirror security best practices and are endorsed by all major credit and charge card payment brands including Visa, MasterCard, American Express, Diners Club and JCB

Goal Build and Maintain a Secure Network

PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Goal Protect Cardholder Data

PCI DSS Requirements 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Goal Maintain a Vulnerability Management Program

PCI DSS Requirements 5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Goal Implement Strong Access Control Measures

PCI DSS Requirements 7. Restrict access to cardholder data by business need to know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Goal Regularly Monitor and Test Networks

PCI DSS Requirements 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Goal Maintain an Information Security Policy

PCI DSS Requirements 12. Maintain a policy that addresses information security for all personnel

The best practices to adopt are if you don’t need to keep the credit card information then don’t keep it. However, if you do need to keep your clients’ credit card information on file the PCI DSS restricts which card elements can and cannot be stored.

The following information cannot be stored after authorisation:

* Sensitive cardholder information i.e. full contents of track data from the magnetic stripe of the card. * Card Verification Numbers (CVV2/CVC2/CID). These are the three digits on the back of the card or four digits on front of card for American Express.

It is important to remember that you can only store the customers’ account information that is necessary for your business and only with the cardholders’ knowledge and consent. Cardholder information needs to be destroyed after its use. If you are using manual paper facilities it is imperative that you destroy all carbon copies of manual imprints in such a way that that the details are unreadable. The same must be done for sales vouchers that are printed via EFTPOS terminals. This is to make sure that any carbon copies and terminal sales vouchers cannot be retrieved from the rubbish which means that fraudsters may be able to use the data. Further information on storing electronic data securely can be found by going to: You can ensure that your business complies with the full PCI Standards by completing the SAQ which is available on the websites mentioned above.

Found this post helpful? Please share it!

10 views0 comments

Recent Posts

See All