Encrypted credit card storageStoring credit card information is an important task requiring high priority and security. There are several methods to store credit card information, but the most secure method is the use of encryption. Credit cards have a highly sensitive amount of data stored and must be encrypted to remain secure. Encryption using strong algorithms is the most commonly used method for storing credit card information. It involves encrypting the cardholder data with an encryption key, which is unreadable to anyone without it. It means that even if the data is intercepted, it cannot be decrypted without the correct private key. Encrypted credit card information is also stored in a secure, encrypted database. When storing credit card information, it is vital to use a strong encryption algorithm, which must be regularly updated to protect against the latest threats. It is also essential to use a secure protocol such as SSL or TLS to protect the data from being sniffed, manipulated and intercepted during transmission. In addition to encryption, businesses should implement tokenisation when storing credit card information. Tokenisation is a process of replacing cardholder data with a unique identifier or “token.” This token is stored in a secure database. It can be used to process payments without disclosing the actual credit card information. Tokenisation helps to reduce the risk of data theft and contributes to protecting customers’ privacy.
Are credit card numbers sensitive?Storing credit card information is an important task for any company that accepts credit card payments, as it is essential to the success of their merchant account. Credit card data is regulated by the Payment Card Industry (PCI) Data Security Standard, which requires businesses to take specific measures to protect customer information. The primary account number (PAN) is the most sensitive information. It includes:
- The cardholder’s name
- Account number
- Expiration date
Storing credit cards and credit card details
Can you store credit card data?Storing credit card data is common for businesses that accept payments online. Many companies store credit card information to disburse payments quickly and avoid re-entering the customer’s information each time they purchase. However, storing credit card information also carries risks, including the potential for cyber breaches and other security issues. Although, there are particular things you can and cannot store to remain compliant and protect your customers’ credit card information. The encrypted data you can store:
- Cardholder PAN (Primary Account Number) (the 16-digit number present on the card front)
- Expiration Date
- Service code (stored within the magnetic stripe.)
- Authentication data (e.g., the magnetic stripe data)
- CVV/CVC (three or four-digit code present on the card back)
- PIN/PIN block (i.e., the encrypted PIN)
Is it legal to store credit card details?Storing credit card information is not illegal, but companies must meet the standards set by the major credit card companies. The PCI Security Standards Council (PCI SSC) enforces the Payment Card Industry Data Security Standard (PCI DSS) to secure cardholder information. PCI audit and compliance ensures businesses use secure practices for storing card info to avoid data breaches, fines, audits from the Federal Trade Commission, and potential loss of customers from intentional or accidental non-compliance.
Is it legal to store credit card information on paper?Businesses may opt for paper storage of card information but must follow the same regulations for physical and digital data storage; they should avoid storing sensitive authentication information. To further protect the data, merchants must secure it in a secure place and limit access to it, only referencing it when necessary. Tip: Credit card information should only be used during the transaction.
How to store credit card information?
Understand PCI standardsBeing a PCI-compliant system proactively protects customer data by having policies and strategies for each zone that accepts transactions. The PCI compliance checklist is a way to organise efforts. Still, some basic requirements exist, such as PCI-compliant hardware and software, a secured server, and consistent employee education on data breaches.
Confirm the need to store credit card informationStoring online card data is beneficial for a merchant account with recurring billing or frequent customers; otherwise, it is unnecessary and should be removed.
Use secure forms for credit card detailsNever use regular contact fields on forms from CRMs like ActiveCampaign or HubSpot to collect sensitive information; use secure payment gateways instead and encrypt all sensitive data.
Routinely update hardware and software80% of attacks can be prevented by strengthening passwords and updating software. PCI compliance requires businesses to update their hardware and software and to download any patches that come through. Additionally, vendors should be identified for update notifications. Special care should be taken to update eCommerce payment applications, gateways and processors, as this is where most credit card information is collected.
Don’t store credit card information in your CRMNever store sensitive information in CRM profiles without encryption. Use a secure storage system or separate software to link payment information to customer lifetime values without compromising security.
Use only authorised service providersUsing PCI-approved equipment and service providers to manage card payment processing packages and storage is required for PCI compliance. Service providers include:
- Web-based SaaS (Software as a Service) providers.
- IVR phone services.
- Even organisations to which you outsource all payment processing functions.
Secure electronic credit card account numbersElectronic storage of card account numbers is also possible. Still, they must be encrypted using a robust encryption algorithm to protect against theft or unauthorised access. Suppose you wish to refrain from encrypting the files yourself. In that case, many service providers offer secure online storage platforms, usually with a “token” for a card number they store. When it is time to process a payment, the service provider can retrieve the whole card number for the transaction.
Where do you store credit card numbers?Card numbers are sensitive and confidential information that should be stored securely. There are a few ways to store credit card numbers with PCI-compliant safely. One of the most secure ways to store card numbers is to use a third-party payment processor. Payment processors such as Stripe, PayPal, and Authorize.net are used by many businesses to store and process credit card payments securely. These services are PCI-compliant and use encryption to protect customer data. Another way to store card numbers is to use a secure database. Businesses can create databases or use cloud-based services like Amazon Web Services or Microsoft Azure. These databases should be encrypted and have additional security measures, such as two-factor authentication. Finally, businesses may store card numbers in a secure vault. It is a physical location where sensitive documents are stored and protected. Vaults should have restricted access and be monitored by an alarm system. No matter which method a business or reputable service provider chooses to store card numbers, it is crucial to ensure that the information is kept secure and compliant with industry data security standards.
Storing credit card information in a databaseCybercriminals usually target databases because they contain customer records and other confidential personal and/or business data. It makes them vulnerable to data theft, resulting in business disruption and significant damages. To avoid such risks, refrain from using databases as a credit card vault.
Access privilege abuseStoring credit card and other personal data anywhere in your database exposes it to anyone with access privileges, making it vulnerable to data breaches by an independent developer. Using the principle of least privileges and limiting privileges may be insufficient, as users can link the database to another application like Excel or take photos of the data with their phones.
Misconfigured databasesIf you don’t take the time to patch your server, cybercriminals can easily breach it. Many businesses, particularly smaller ones, fail to keep their servers up to date, while others maintain default database settings. Large companies are also prone to neglecting database updates, which can open up a vulnerability if sensitive data like card information is stored in the database. It provides attackers with an opportunity to get their hands on the information.
SQL injection attacksSQL injection is a cyber attack in which malicious code is inserted into a database. It causes the database to behave in a manner that makes it more vulnerable. Imperva, a cybersecurity company, says that at least 80% of the websites which they protect face an attempted attack monthly. These attacks occur when applications connected to the database have security flaws. If card information is stored in the database, it can be exposed, resulting in a data breach. Businesses without the necessary skills to address such problems are particularly vulnerable to these attacks.
Storing customer credit card information
Can I store customers’ credit card information?Businesses can store customers’ card information. However, the data must be stored securely and has PCI compliance. Companies must securely store customer credit card information, get customer consent before sharing, prevent unauthorised purchases, follow PCI DSS guidelines, and use a secure third-party software or service provider to keep customer data safe.
Is it illegal to take card details over the phone?Yes, taking customer card information over the phone is illegal. Companies are responsible for protecting customers’ card information and must securely manage credit card processing. That means credit card account information should not be taken over the phone. If businesses fail to adhere to the PCI DSS standards, they could face severe financial penalties and criminal charges. In some cases, companies could face fines of up to $500,000 or even imprisonment. Therefore, businesses need to take the necessary steps to ensure that any customer’s credit card information is not taken over the phone.
PCI requirements for storing credit card numbersPCI DSS Requirement 3 discussed protecting stored cardholder data to minimise the risk of a data breach. Let’s check the PCI DSS requirements now:
PCI DSS requirement 01Organisations must create policies for data retention, secure deletion, and a quarterly process to find and delete cardholder information that has exceeded its retention time. They can use data discovery tools and best practices to detect sensitive data and protect cardholder data against physical threats, even if they are unaware of storing cardholder information.
PCI DSS requirement 02Organisations must not store Sensitive Authentication Data (SAD) even if encrypted. This data is precious to attackers in fraudulent transactions, card-present and card-not-present. The only organisations that can store data are publishers with a legit business need for publishing services.
PCI DSS requirement 03Users with a legitimate business need to view the full Primary Account Number (PAN) and mask the PAN when displaying it on screens, paper receipts, and other printouts, showing only the first six and last four digits.
PCI DSS requirement 04PCI DSS lists acceptable methods for rendering PAN data unreadable, such as using strong one-way hash functions, truncating, index tokens with securely stored pads, and strong cryptography. To protect the data, these methods make it difficult and time-consuming to decrypt it in the event of an attack, rendering the data essentially useless.
PCI DSS requirement 05Verifying organisations should limit the possibility of attackers using encryption keys to decrypt data and expose cardholder information by storing the keys in as few places as possible with as less accesses as possible. They should also consider external threats, such as physical and internal threats from employees, to comply with PCI DSS requirement, which requires them to safeguard encryption keys from disclosure and misuse and document these procedures.
PCI DSS requirement 06Document all key management processes for the use of cryptographic keys. These include securely generating, distributing and storing them, and setting policies to change keys at the end of their crypto period or if their integrity is weakened. This usually happens if a team member leaves the organisation knowing the plaintext encryption key, or if the keys are suspected of being compromised. In addition to it, businesses can benefit themselves with detailed PCI compliance procedures through the information available on the PCI DSS website.
Final thoughtsBusinesses must take necessary precautions to be PCI-compliant and be aware of best practices for storing customers’ card information. Also, they must be mindful of the potential risks of storing data on any credit card processing software or database. Doing so will foster customer loyalty and avoid the costly consequences of a data breach.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.