Oh, how we love shopping with fantastic plastic! 💳 Credit cards make paying for online purchases just so easy. Unfortunately, it’s also easy for those little numbers to fall into the wrong hands and cause a whole mess of problems. 👐
As a store owner, it’s your responsibility to be compliant with credit card security laws and ensure that your customer’s information is kept confidential. 🔐 Failing to do so would not only be in violation of the law but also your customers’ loyalty. That’s a double no-no.
The PCI DSS (Payment Card Industry Data Security Standard)
The Payment Card Industry Data Security Standard applies to companies of any size that accept credit card payments from the major credit card companies: Visa, MasterCard, American Express, Discover and JCB.
The PCI DSS requires Volusion to store all sensitive data in a secure manner. This also mandates that all merchants conducting business online using cardholder data follow PCI DSS guidelines.
Storing Cardholder Data
PCI-DSS mandates that cardholder data can only be stored to the extent and for the time required to meet the needs of your business. It also requires that you can only display the first 6 OR last 4 digits of Primary Account Numbers or PANs (the credit card account number on the face of the card), and that they must be rendered unreadable anywhere they’re stored. That means any stored PAN must be encrypted. Last but not least, you may never store authentication data after authorization, even if it’s encrypted.
⚠️️ What NOT to Do
The following data-storage practices violate the PCI DSS:
- Credit card numbers stored in custom fields (on orders or customer records)
- Card security codes (CVV2/CVV/CSC/CVC/CID) stored in custom fields
- Credit card numbers stored in order notes / private notes fields
- Credit card security codes stored in order notes fields
Some rules are meant to be broken ... but not Volusion’s Terms of Service and the PCI DSS requirements. If you are using any mechanisms that capture sensitive data in unapproved ways, you must remove them, including custom fields you’ve created that request card numbers or security codes.
Rules are so … rule-y. When there are so many to keep track of, it can take the fun out of retailing. But these rules are put in place for good reason: to keep your customers’ data safe, which ultimately is what’s best for them and your store. Periodic reviews of the latest credit card security guidelines will help you prevent your store from becoming a security risk and enable your customers to shop with confidence.