Use of credit card for making online purchases is very common nowadays. But due to incidences, like data breaching; customers are more concerned about how sensitive data (personal information of customer as well as credit card details) is being handled by merchants. As a merchant, you need to open a merchant account to carry out transactions and if your payment processor accepts credit card payment, you as a business owner is contractually obligated to provide security to your customer’s sensitive information shared while completing transaction process, which is imprinted in the contract you signed. If you are using third-party software to manage customer’s information, it should be able to protect all the information of your customer.
Here are five tips for proper handling the credit card information of your customer
Use Approved Software: When a merchant uses POS (Point of Sale) terminal, mobile running payment processor software or swipe machine to conduct transactions, as a merchant it is your duty to make sure that your hardware, as well as software, is PCI Compliant. There are many applications and card readers available that come with security loopholes. So, it is advisable to choose reputable hardware and software vendors who take full responsibility for the integrity of their product. For the long run and good reputation of your business make sure to use tested and approved solution.
Genuine Service Provider: You can avail services of a reputed service provider to install credit card processing software, manage credit card processing as well as credit card storage for your business. Service provider includes:
- SaaS (Web-based software)
- IVR phone services
It might also include companies to which the merchant outsources payment-processing functions. Through extensive testing of these service providers, you can make sure that they are trustworthy. Qualified Security Assessor (QSA) who performs a comprehensive audit of policies, procedures, and the system of the service providers does this type of testing. You can only use PCI DSS Validated service provider as a part of contract signed.
Storage of Sensitive Information: Payment processing regulations specifically prohibit the storage of credit card security code or any data contained in the magnetic strip of a credit card, although you may have business reasons for storing credit card information. The card security number is designed to know whether a customer who is using the card over the phone or internet actually does have the card in his possession. But if the security code is stolen, this approach will not work. In the magnetic stick, which is on the backside of the credit card, track data is stored, which contains the information of the account that is otherwise not displayed on the card. This data assists with authentication and the card cannot be forged.
Encrypted Electronic Storage: For recurring payment authorization or mail order authorization, the merchant might have to store credit card number. If such sensitive data is stored as paper documents, it should be stored in a secure place. If you process recurring transactions, you can also store credit card number via electronic storage but make sure that these files are well encrypted using a robust encrypted algorithm before storing. This provides protection against unauthorized access or if you lose your computer.
Phone Recording: To monitor the service quality and proof of payment authorization, a merchant might want to record the phone orders. It is advisable to encrypt recorded calls immediately and store it digitally in a limited access, password protected directory. Additionally, make sure that there is no other software attached to this storage system as it may expose these stored credit card numbers.
By simply following these five steps, you can meet your contractual requirements to protect credit card account information and the merchant can be PCI compliant. It will also help merchant in gaining customer’s confidence and loyalty, which will help in increasing the revenue.