Encrypted credit card information storage: Is it legal, PCI DSS and How to do it?

As a major portion of our lives moves online, protecting our personal and financial information, especially credit card information, has become extremely crucial. Credit card data is susceptible and needs to be securely stored to protect our financial information from falling into the wrong hands. In this article, we will discuss the importance of secure credit card information storage and the best practices to ensure that your data is safe.

Encrypted credit card storage

Storing credit card information is an important task requiring high priority and security. There are several methods to store credit card information, but the most secure method is the use of encryption. Credit cards have a highly sensitive amount of data stored and must be encrypted to remain secure. Encryption using strong algorithms is the most commonly used method for storing credit card information. It involves encrypting the cardholder data with an encryption key, which is unreadable to anyone without it. It means that even if the data is intercepted, it cannot be decrypted without the correct private key. Encrypted credit card information is also stored in a secure, encrypted database. When storing credit card information, it is vital to use a strong encryption algorithm, which must be regularly updated to protect against the latest threats. It is also essential to use a secure protocol such as SSL or TLS to protect the data from being sniffed, manipulated and intercepted during transmission. In addition to encryption, businesses should implement tokenisation when storing credit card information. Tokenisation is a process of replacing cardholder data with a unique identifier or “token.” This token is stored in a secure database. It can be used to process payments without disclosing the actual credit card information. Tokenisation helps to reduce the risk of data theft and contributes to protecting customers’ privacy.

Are credit card numbers sensitive?

Storing credit card information is an important task for any company that accepts credit card payments, as it is essential to the success of their merchant account. Credit card data is regulated by the Payment Card Industry (PCI) Data Security Standard, which requires businesses to take specific measures to protect customer information. The primary account number (PAN) is the most sensitive information. It includes:

• The cardholder’s name
• Account number
• Expiration date

Businesses should also know the Sensitive Authentication Data (SAD) associated with a credit card. It consists of a 3-4 digit security code on the back of the card and other authentication methods, such as chip-based authentication. In addition to the PAN and SAD, businesses should also take into account the other information associated with a card. It includes the cardholder’s billing address and phone number. It is also important that the credit card data is not shared with third-party vendors, like payment processors, who may handle or store credit card information. Lastly, it is vital to ensure that card data is completely destroyed once it is no longer needed. It means that the data should be securely deleted and not simply thrown away or stored in a way that others could potentially access.

Storing credit cards and credit card details

Can you store credit card data?

Storing credit card data is common for businesses that accept payments online. Many companies store credit card information to disburse payments quickly and avoid re-entering the customer’s information each time they purchase. However, storing credit card information also carries risks, including the potential for cyber breaches and other security issues. Although, there are particular things you can and cannot store to remain compliant and protect your customers’ credit card information. The encrypted data you can store:

• Cardholder PAN (Primary Account Number) (the 16-digit number present on the card front)
• Expiration Date 
• Service code (stored within the magnetic stripe.)

The encrypted data you cannot store:

• Authentication data (e.g., the magnetic stripe data)
• CVV/CVC (three or four-digit code present on the card back) 
• PIN/PIN block (i.e., the encrypted PIN)

Realising your duties as a merchant is critical, as data breaches are rising. By 2025, the US will reach $12.5 billion in card fraud losses. In addition to storing card data, businesses may also need to store electronic track data, which is the information that is stored on the magnetic strip of a credit card. This information is used to authenticate a customer’s identity and to disburse payments. Businesses should use a secure service provider to keep the data safe when storing such data.

 Is it legal to store credit card details?

Storing credit card information is not illegal, but companies must meet the standards set by the major credit card companies. The PCI Security Standards Council (PCI SSC) enforces the Payment Card Industry Data Security Standard (PCI DSS) to secure cardholder information. PCI audit and compliance ensures businesses use secure practices for storing card info to avoid data breaches, fines, audits from the Federal Trade Commission, and potential loss of customers from intentional or accidental non-compliance.

Is it legal to store credit card information on paper?

Businesses may opt for paper storage of card information but must follow the same regulations for physical and digital data storage; they should avoid storing sensitive authentication information. To further protect the data, merchants must secure it in a secure place and limit access to it, only referencing it when necessary. Tip: Credit card information should only be used during the transaction.

How to store credit card information?

Understand PCI standards

Being a PCI-compliant system proactively protects customer data by having policies and strategies for each zone that accepts transactions. The PCI compliance checklist is a way to organise efforts. Still, some basic requirements exist, such as PCI-compliant hardware and software, a secured server, and consistent employee education on data breaches.

Confirm the need to store credit card information

Storing online card data is beneficial for a merchant account with recurring billing or frequent customers; otherwise, it is unnecessary and should be removed.

Use secure forms for credit card details

Never use regular contact fields on forms from CRMs like ActiveCampaign or HubSpot to collect sensitive information; use secure payment gateways instead and encrypt all sensitive data.

Routinely update hardware and software

80% of attacks can be prevented by strengthening passwords and updating software. PCI compliance requires businesses to update their hardware and software and to download any patches that come through. Additionally, vendors should be identified for update notifications. Special care should be taken to update eCommerce payment applications, gateways and processors, as this is where most credit card information is collected.

Don’t store credit card information in your CRM

Never store sensitive information in CRM profiles without encryption. Use a secure storage system or separate software to link payment information to customer lifetime values without compromising security.

Use only authorised service providers

Using PCI-approved equipment and service providers to manage card payment processing packages and storage is required for PCI compliance. Service providers include:

• Web-based SaaS (Software as a Service) providers.
• IVR phone services.
• Even organisations to which you outsource all payment processing functions.

After extensive testing through an external qualified security assessor, they can be designated as a PCI DSS Validated Entity.

Secure electronic credit card account numbers

Electronic storage of card account numbers is also possible. Still, they must be encrypted using a robust encryption algorithm to protect against theft or unauthorised access.  Suppose you wish to refrain from encrypting the files yourself. In that case, many service providers offer secure online storage platforms, usually with a “token” for a card number they store. When it is time to process a payment, the service provider can retrieve the whole card number for the transaction.

Where do you store credit card numbers?

Card numbers are sensitive and confidential information that should be stored securely. There are a few ways to store credit card numbers with PCI-compliant safely. One of the most secure ways to store card numbers is to use a third-party payment processor. Payment processors such as Stripe, PayPal, and Authorize.net are used by many businesses to store and process credit card payments securely. These services are PCI-compliant and use encryption to protect customer data. Another way to store card numbers is to use a secure database. Businesses can create databases or use cloud-based services like Amazon Web Services or Microsoft Azure. These databases should be encrypted and have additional security measures, such as two-factor authentication. Finally, businesses may store card numbers in a secure vault. It is a physical location where sensitive documents are stored and protected. Vaults should have restricted access and be monitored by an alarm system. No matter which method a business or reputable service provider chooses to store card numbers, it is crucial to ensure that the information is kept secure and compliant with industry data security standards.

Storing credit card information in a database

Cybercriminals usually target databases because they contain customer records and other confidential personal and/or business data. It makes them vulnerable to data theft, resulting in business disruption and significant damages. To avoid such risks, refrain from using databases as a credit card vault.

Access privilege abuse

Storing credit card and other personal data anywhere in your database exposes it to anyone with access privileges, making it vulnerable to data breaches by an independent developer. Using the principle of least privileges and limiting privileges may be insufficient, as users can link the database to another application like Excel or take photos of the data with their phones.

Misconfigured databases

If you don’t take the time to patch your server, cybercriminals can easily breach it. Many businesses, particularly smaller ones, fail to keep their servers up to date, while others maintain default database settings. Large companies are also prone to neglecting database updates, which can open up a vulnerability if sensitive data like card information is stored in the database. It provides attackers with an opportunity to get their hands on the information.

SQL injection attacks

SQL injection is a cyber attack in which malicious code is inserted into a database. It causes the database to behave in a manner that makes it more vulnerable. Imperva, a cybersecurity company, says that at least 80% of the websites which they protect face an attempted attack monthly. These attacks occur when applications connected to the database have security flaws. If card information is stored in the database, it can be exposed, resulting in a data breach. Businesses without the necessary skills to address such problems are particularly vulnerable to these attacks.

Storing customer credit card information

Can I store customers’ credit card information?

Businesses can store customers’ card information. However, the data must be stored securely and has PCI compliance. Companies must securely store customer credit card information, get customer consent before sharing, prevent unauthorised purchases, follow PCI DSS guidelines, and use a secure third-party software or service provider to keep customer data safe.

Is it illegal to take card details over the phone?

Yes, taking customer card information over the phone is illegal. Companies are responsible for protecting customers’ card information and must securely manage credit card processing. That means credit card account information should not be taken over the phone. If businesses fail to adhere to the PCI DSS standards, they could face severe financial penalties and criminal charges. In some cases, companies could face fines of up to $500,000 or even imprisonment. Therefore, businesses need to take the necessary steps to ensure that any customer’s credit card information is not taken over the phone.

PCI requirements for storing credit card numbers

PCI DSS Requirement 3 discussed protecting stored cardholder data to minimise the risk of a data breach. Let’s check the PCI DSS requirements now:

PCI DSS requirement 01

Organisations must create policies for data retention, secure deletion, and a quarterly process to find and delete cardholder information that has exceeded its retention time. They can use data discovery tools and best practices to detect sensitive data and protect cardholder data against physical threats, even if they are unaware of storing cardholder information.

PCI DSS requirement 02

Organisations must not store Sensitive Authentication Data (SAD) even if encrypted. This data is precious to attackers in fraudulent transactions, card-present and card-not-present. The only organisations that can store data are publishers with a legit business need for publishing services. 

PCI DSS requirement 03

Users with a legitimate business need to view the full Primary Account Number (PAN) and mask the PAN when displaying it on screens, paper receipts, and other printouts, showing only the first six and last four digits.

PCI DSS requirement 04

PCI DSS lists acceptable methods for rendering PAN data unreadable, such as using strong one-way hash functions, truncating, index tokens with securely stored pads, and strong cryptography. To protect the data, these methods make it difficult and time-consuming to decrypt it in the event of an attack, rendering the data essentially useless.

PCI DSS requirement 05

Verifying organisations should limit the possibility of attackers using encryption keys to decrypt data and expose cardholder information by storing the keys in as few places as possible with as less accesses as possible. They should also consider external threats, such as physical and internal threats from employees, to comply with PCI DSS requirement, which requires them to safeguard encryption keys from disclosure and misuse and document these procedures.

PCI DSS requirement 06

Document all key management processes for the use of cryptographic keys. These include securely generating, distributing and storing them, and setting policies to change keys at the end of their crypto period or if their integrity is weakened. This usually happens if a team member leaves the organisation knowing the plaintext encryption key, or if the keys are suspected of being compromised. In addition to it, businesses can benefit themselves with detailed PCI compliance procedures through the information available on the PCI DSS website.

Final thoughts

Businesses must take necessary precautions to be PCI-compliant and be aware of best practices for storing customers’ card information. Also, they must be mindful of the potential risks of storing data on any credit card processing software or database. Doing so will foster customer loyalty and avoid the costly consequences of a data breach.