Security Implications Of Storing Credit Cards In-House

One of the main differences between having a merchant account and paying for a third party service is the fact that you would have to store credit card information with the former. The latter set up actually disallows such practice. So if you are considering applying for your own merchant account, you need to know the security implications of storing credit card information in-house. Otherwise, you are taking a huge risk with regard to fraud and other security issues.

Payment Card Industry Data Security Standards (PCI DSS)

The Payment Card Industry Data Security Standards (normally shortened to PCI) is the credit card industry’s response to threats to customer information. Major credit card companies realized that the risk of fraud was (and is) high so they came up with industry standards to safeguard the information of credit card holders. The idea is for merchant service providers and merchants to meet the minimum standards dictated by the industry when they store, process, and transmit cardholder information.

PCI is quite comprehensive and it depends on you and your merchant service provider to ensure that your business is compliant. Some of the core requirements of PCI are:

Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security passwords
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security

Some of these requirements should automatically come from your merchant service provider while you may have to check into the others on your own.

Data Storage Do’s

Here are some things to bear in mind and apply in order to keep your customers’ information safe.

Disclosure

Your privacy policy and security measures must be expressly made known to your customers. That is why you should always include links to these in your web site. Make sure that you explain clearly what your company has done and is doing to ensure the customers’ safety with regard to credit card information storage.

Firewalls

The Internet has made access to information as easy as possible. With the sensitivity of the information you are storing, you cannot afford other people to get hold of that information. As such, you should install secure firewalls – both internal and external – in order to add an additional layer of protection. Your merchant service provider may be able to help you out with this.

Encryption

Another requirement when it comes to credit card transactions is to employ strong encryption methods. Once the cardholder data is transmitted through the network, you never know who can gain access to that information. The only way to ensure that it will be safe is to encrypt the data before sending it. There are standards which you must follow to ensure that your encryption method is secure enough.

Employee Access

Trust is such a misused word. Though you may trust those around you, you can never tell. You have to protect your business and yourself by controlling employee access to information. Some things you could do are:

Assign employee access to payment data on a need-to-know basis.

Assign a unique ID to each person with computer access to payment data.

Maintain the ability to track employee access to payment data through the use of unique IDs.

Change employee Passwords regularly.

Ensure employee security policy is understood by all your employees.

Require two-person control to access encrypted data.

Storing credit card information within your system is not a small matter. In order to protect your customers and yourself from fraud, you ought to study the different ways and means of ensuring security. There is no shortage of unscrupulous people who would take advantage of any flaw in your security system. When choosing a merchant service provider, make sure you raise all issues you have with security even before you sign on the dotted line.