Companies that accept credit cards for payment from customers, which is most businesses these days, often keep customers' credit card information on file for the next time they use their services, such as with an online shopping site. With the growing number of identity theft incidents, rules have been put in place regarding storage of credit card numbers and information to protect consumers.
PCI DSS Standards
The PCI Security Standards Council is an open global forum dedicated to the protection of credit account data. Major credit card companies require that merchants who accept credit cards apply these security standards so that identity theft is less likely to occur. Security standards for large merchants with over 6 million transactions annually must receive quarterly network scans from an independent auditor as well as a detailed on-site assessment. For smaller merchants with less then 20,000 transactions annually, they are required to comply with the basic regulations of reporting their own on-site assessment of transactions but only have to follow the compliance guidelines set forth by the merchant's bank. If guidelines are not followed and credit card information is stolen, merchants can lose the right to do credit card transactions with many of the larger credit card companies.
Erase Credit Card Data
Stored credit card data should be erased from your system as often as possible, though how often depends on the business and the type of security the business has on its data systems. However, no business can store certain credit card data information, such as CVV2 and CIV codes, which are those three to four digit numbers on the back or front middle of a credit card. These codes are the last line of security defense on credit cards. Magnetic strip or pin data may also not be stored. If this information is stolen from a merchant, fines may be as high as $500,000 per incident.
Create Own Security
Merchants should also protect their customers' credit card data by providing their own security and running checks on the security of their own systems and employees. Independent hackers should be employed by the company to find holes in the company's security systems and figure out how to plug those holes. Physical storage of credit card information, such as bags of receipts, make it easy for thieves to walk in and physically steal credit card information. These should not be kept unless under secure lock and key and should be burned or shredded in a timely manner. Test employees, as well, by having an outside person the company has hired call and ask for customers' specific credit card information and see if they reveal it. This will help protect your customers and, in turn, your business.