Securing your customers sensitive credit card data
- Do you accept credit cards and really know what the possibilities are if you don’t protect your customer data?
- Don’t put all your trust in your developer – know the issues yourself and push your tech team.
As an online retailer you are responsible for protecting your customers sensitive information such as credit card numbers between the customer, your website and the bank or payment gateway.
With the increase in online sales and ever present danger of high tech crimes such as card skimming and hacking, you could be the potential focus of an investigation if your customers credit card is used fraudulently. This can be time consuming and expensive, and could result in law suits and criminal action if the losses experienced by card companies and financial institutions need to be recovered.
Did you know that businesses accepting fewer than 20,000 transactions in a year are required by Visa to complete Annual PCI Self-Assessment Questionnaire (SAQ), and have the website and network scanned by an Approved Scanning Vendor?
The global standard for security of credit card information is called the Payment Card Industry Data Security Standard (PCI DSS)
As a merchant accepting credit cards you are responsible in meeting the terms and conditions of the credit card companies and your bank. As an online merchant you are also required to meet the PCI DSS.
The security of your customers data generally falls into one of two categories both of which provide security challenges:
Data in transit – covers the transfer of the data from your customers computer to your website, and from your website to the financial institution. This process is usually covered by the Secure Sockets Layer (SSL) certificate technology. SSL certificates can range from $150 – $800 per year depending on your requirements.
Stored data for future use – where data may be saved in a database or file, for you to use at a later date. The management of this data is governed by two simple principles
‘Don’t store the data unless you absolutely need it’ – This is the easiest and best way to ensure your customers data is not at risk from being saved for a prolonged period. This does not however relieve you of your duty to ensure your are within the PCI DSS. Red5 development guidelines mean that code we produce sits in this arena. A credit card number is not saved in your system for any longer than it takes for the transaction to take place.
‘If you need to store the data, encrypt it.’ – Under this premise, much more work is required to encrypt the data and audit your systems. There are other options if you need to hold a card number to regularly debit different amounts.
The easiest way to meet the basic requirements of PCI DSS are to subscribe to a service such as Comodo’s HackerGuardian or McAfee Secure service for quarterly scans. Contact SixFive to find out about pricing for these services and advice on how to ensure your site is secure.
To keep up to date with the latest in web and mobile security, please subscribe to our newsletter:
SixFive is a web and mobile app developer – If you’d like some assistance in making your website work well on mobile, or creating and launching a mobile app for your business, drop us a line, we’d be only too happy to assist you.
If you enjoyed this article, don’t be shy, please share the love with your network!