The Merchant Processing Guru Tip# 32: The 12 requirements of PCI Compliance – Requirement #3
Protect stored cardholder data. First of all let me say that if you do not need to store card holder data then don’t. Many businesses however need to keep cardholder data on file to make future payments from their customers easier for themselves and their customer. So if this describes you and your business then you must be very careful how and where you store this data and there is still certain data that is not allowed under PCI to store such as the 3-4 digits on the back of the card (CVV2), anyone’s pin number for debit cards or the full track data from the magnetic strip of the card. Basically all you can store is the cardholder name, expiration date and the account number which needs to be unreadable through truncation of at least the second set of 6 digits, the first 6 & last 4 being readable. These must be secured using cryptographic keys.
You must implement a disposal policy and procedure of the cardholder data that is gathered so as not to have it unsecured anywhere and to dispose of the information stored after it is no longer needed. You are also required to limit access to this information to only those who need to have access to it for business purposes.
If you do need to store cardholder information for future payments you have many options today that will allow you to do so in a compliant manner depending upon your business needs. Should you have the need for monthly reoccurring charges that are charged at the same time every month for the same amount then a simple SSL secured online gateway with reoccurring billing enabled is a great option. However should you need to keep a card on “file” for an unknown future billing amount and date then you can store your customer information in a secure online “customer vault”.
Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: [email protected]
Or call him at: 1-888-368-GURU (4878)