One of the biggest concerns you hear when setting up modern payment systems is about security. How can we safely store a card holder’s data securely? In part one of this three-part article on recurring payments, we look at storing cardholder data.
Storing Cardholder Data (Avoid when possible!)
When e-commerce payments were still a relatively new concept there was no standard for the protection of cardholder data. This left merchants to, more or less, do what they wanted when it came to handling card data. Of course, breaches occurred causing headaches for cardholders, merchants, issuing banks, and the card brands.
When card data was stolen or compromised it led to lost funds, as well as the cost of creating and re-issuing the stolen cards. In 2004 the card brands worked together to address this with the advent of the PCI standard. The creation of this security standard has provided the benefit of a clear guideline that merchants can follow for the protection of cardholder data, but it's created a tremendous challenge for merchants to deal with.
One of the best ways to minimize the headache is to avoid holding the data. In general, you want to avoid storing sensitive data whenever you can avoid it. (Unless you have strong technical expertise within your organization, or perhaps just an unhealthy appetite for unnecessary liability.)
The PCI security standard appreciates and takes into account that some businesses simply do not have the ability, time or expertise, to satisfy the technical requirements of the standard. Fortunately, merchants can rely on service providers to touch, handle and store credit card numbers, which will keep cardholder data away from your organization. There is a simplified version of the PCI self-assessment questionnaire that you can qualify for if you rely on PCI complaint 3rd parties for the collection and storage of all cardholder data. This allows you to complete the simplified version of the PCI self-assessment questionnaire, by basically stating that you rely on 3rd party providers to handle the cardholder data for your business and that they are PCI compliant. Said more plainly, you are outsourcing the headaches.
This is sometimes referred to as
CRM Dynamics employs this tokenization method in our payment pathways solutions. If you’d like to learn more about how we can assist you in keeping your card holder’s data safe, give our
About the Author