Perhaps the most important consideration for a merchant in securing sensitive credit card information is the level of credit card data being retained. The card retention level has a direct correlation to the level of the Self Assessment Questionnaire that merchants must complete to be PCI-DSS compliant (see the related article PCI: Data Security Standard Terms and Definitions for more details).
SAQ Validation Type | Description | SAQ |
1 | Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants., | A |
2 | Imprint-only merchants with no cardholder data storage. | B |
3 | Stand-alone dial-up terminal merchants, no cardholder data storage. | B |
4 | Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. | C |
5 | All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. | D |
Source: www.pcisecuritystandards.org |
There are four Self Assessment Questionnaires, A-D: A being the simplest to implement, and D being the most involved and demanding. As illustrated by the above chart, it is the retention of card holder information, not the processing of cards, that requires the more involved SAQ D to be used. And it is really SAQ D where security measures and costs begin to exceed what are otherwise common security concerns of any business network and exceed reasonable costs for most retailers.
Do not store ANY Credit Card information!
The bottom line here is to NEVER store even one Credit Card number anywhere on your business network. If you do, SAQ D, and its stringent requirements apply to you.
When processing a credit card for a sale transaction, there really is no reason to store the card holder information once the transaction has been approved and captured as the approval will assure your funds are deposited to your bank.
Where most retailers are susceptible is when they retain a customer’s card information for convenience for future sales. While it is absolutely forbidden to retain card holder information from a single transaction, if a customer gives consent it is acceptable to retain card information for future sales – and this is where many retailers put themselves at risk. The problem here is that if there is an electronic file on a network that is ever accessible to the Internet, the card numbers are potentially accessible to the world. It may go against common sense, these card numbers are better kept manually on a piece of paper in a secured physical location.
Reasonable Alternatives
It might be tempting to take a step back from technology and go back to the old fashioned knuckle buster or to use a dial up authorization device to process credit cards (requiring only SAQ B). Indeed, the security requirements are less rigorous even though card numbers are completely exposed on paper or over an open phone line. But most retailers will find the inconvenience and much slower processing time to be more costly in terms of lost sales as customers have become accustomed to instant card approval that is available over the Internet.
But we don’t need to throw the baby out with the bath water. A more reasonable approach is to process credit cards through the business network but never store the card holder information once each transaction is approved. This still offers the benefit of approvals in less than five seconds, and avoids the risks and costs of storing card holder information.
If cards are only processed on your business network and card holder information is not stored, SAQ C applies. This level does require some security standards to be implemented, but quite frankly these security requirements should be in place to protect sensitive financial and customer records in any case. The costs of recovering from a virus or nefarious intrusion alone is much more expensive than good preventive security policies.