How to store credit card information: best practices for UK merchants

Offering customers the option to store credit card information can streamline the checkout process, creating a smoother shopping experience and reduce the risk of cart abandonment. But there are significant risks associated with storing credit card information too. Get it wrong and the consequences could be severe – for you and your customers.

Credit card data is particularly sensitive, protected by legal and regulatory requirements. The Data Protection Act (DPA), the UK’s implementation of General Data Protection Regulation (GDPR), defines your legal obligations when handling and storing personal information. Similarly, every transaction and payment card interaction are bound by the PCI DSS industry regulation. Every merchant in the UK is responsible for protecting credit card information, even if they don’t store that data at all.

For a quick primer, see our guide: Accepting credit card payments as a small business.

Why secured credit card storage matters for merchants

Data breaches, particularly those affecting sensitive information like credit cards, can be catastrophic. Usually there is an immediate financial loss, often in the form of fines issued by regulators, along with potential legal penalties.

Data breaches also have a negative effect on your company reputation. High-profile incidents have a long-term negative effect on customer trust and revenue.

When it comes to storing customer credit card information, pay close attention to the PCI DSS regulations. These security standards are essential, providing very strict compliance guidelines for your systems and processes. Failure to comply can lead to severe penalties, with fines for non-compliance ranging from £3,000 to £60,000. Your merchant account terminated may be terminated too.

PCI DSS provides helpful guidance on what your business must do. One key consideration is the classification of “sensitive” and “non-sensitive” information. Sensitive data must not be stored post-transaction and includes:

• CVV/CVC code
• Any kind of authentication data

This information must be destroyed at the conclusion of the transaction, or not recorded at all. Read more about how credit card processing works to understand how this data is used to verify transactions.

Non-sensitive data can be kept on file, however, and includes:

• Cardholder name
• Credit card number (the 16-digit number on the front of the card, also known as the Primary Account Number – PAN)
• Card expiration date

These details should be encrypted to protect against leaks or theft.

Understanding PCI DSS merchant compliance

PCI DSS merchant compliance requirements apply to every business that handles, processes or stores credit and debit card information. The standard defines several security guidelines established by major card brands to protect customers’ data.

There are 12 key requirements for PCI DSS merchant compliance:

1. Protect cardholder data with a network firewall
2. All passwords and security parameters must be changed from factory defaults
3. Cardholder data must be ‘protected’ during storage
4. Cardholder data must be encrypted during transmission across ‘open’ networks like the internet
5. Systems must be protected by regularly updated anti-malware software
6. Develop and maintain secure systems
7. Access to cardholder data must be restricted to employees who have a legitimate reason to see it
8. Data must be secured by authenticated user accounts
9. Physical records must be similarly restricted and protected
10. All access to cardholder data must be recorded and audited
11. Security systems must be tested regularly to ensure they are still fit for purpose
12. Create and maintain a policy for employees regarding use and protection of credit card data

These are simply the basic principles of PCI DSS merchant compliance, and the standard is updated regularly to address evolving threats. Merchants will need to monitor developments and ensure data storage systems still adhere to the guidelines.

To learn more about how the PCI DSS standard came into existence, read our article What’s the history of PCI DSS?

PCI compliance for storing credit card information

How do you build and maintain a system that can store credit card data and meet PCI DSS standards?

There are three steps to follow:

1: Assess and update

Aspects of your data storage systems may already be PCI DSS compliant – but you won’t know until you assess them. You will need to audit every part of the system used to store credit card information.

Part of PCI DSS compliance is completing a self-assessment exercise which will help you complete your systems audit. It will highlight areas where improvements must be made. This will mean securing your network against unauthorised access, encrypting stored data and monitoring systems for security vulnerabilities that could be exploited by malicious actors.

2: Choose the right equipment

To protect your customers and maintain security standards, always choose PCI approved equipment. The PCI oversight body certifies a range of hardware and software solutions to confirm they meet regulatory requirements.

From payment terminals to firewalls and encryptions tools, each product is hardened against attack. They automatically apply encryption protocols to keep sensitive data secure in transit.

Choosing compliant tools will assist with PCI compliance for storing credit card information – and better protect your customers.

3: Train your employees

Employees tend to be a weak link in PCI DSS compliance. It is critical that employees receive ongoing training about the regulations and data handling best practices.

Regular training will reduce incidences of human error. It will also ensure that everyone in the organisation plays their part in maintaining PCI compliance for storing credit card information.

Check out How to become PCI compliant to get started now. You can read more about the in-depth technology requirements of PCI DSS in our article Why should merchants use PCI point-to-point encryption (P2PE)?

Best practices for storing credit card information

As you journey towards PCI DSS compliance, attention turns to storing credit card information. Your data storage environment must be reconfigured to meet these industry best practice guidelines:

Encryption and tokenisation

Credit card encryption makes data unreadable even if your systems are breached. Unless hackers can steal your data decryption keys, any information they take is useless.

You can further strengthen your defences using tokenisation. This advanced technique replaces sensitive data, like credit card numbers, with encrypted ‘tokens’ that act like placeholders. The token is very secure because it cannot be reverse engineered or decrypted outside your system, making it worthless to thieves.

Limit data storage

Another important consideration is to limit how much data you collect and store. The less information you have, the less you must protect.

Carefully consider what credit card data you do need to store and what you can do without. Only keep what is strictly necessary. You can improve defences further still by only holding credit card information for a limited period – a few months or a year. Routinely deleting older data dramatically reduces the risk of breach.

Secure access controls

Ensure that authorised users are only able to access credit card data for specific work-related purposes. Use role-based access permissions to limit access as much as possible.

Strengthen access controls using enhanced account control mechanisms like two factor authentication (2FA). 2FA requires an additional token, like a code sent via SMS, alongside the usual username and password before granting access.

Conduct regular security audits

Cybercrime techniques evolve rapidly. What was secure yesterday may not be secure today. Merchants must undertake regular security audits to identify and fix potential vulnerabilities.

Routinely installing software updates and patches will strengthen your IT posture – and ensure you remain PCI DSS compliant.

Conclusion

Storing customer credit card information is convenient for your clients – but it brings a raft of additional responsibilities. Securing data is essential for your customers, your payment processing partners, government regulators and, ultimately, for your business.

The penalties for failing to store credit card data securely are significant but following the steps outlined in this guide will help you develop a workable, effective strategy. Data security is a constantly evolving industry, and your team must stay vigilant. Monitoring and meeting changes to PCI DSS requirements is just the starting point. You will also need to assess and update security measures frequently.

You can take an important step towards improving the way you collect and store customer credit card data today – start taking secure card payments with Worldpay’s Simplicity Payment Gateway.