Card & Card Holder Data Best Practices

Fri 22nd Nov 2013

What is the best way to store card data?
Computerised/online details: In an encrypted file where only business owners/people who NEED to have access, know the password.

Receipts: store these in a safe box. Also, keep a dairy of everything you do so for example, write down that you visited a client on 24th January and that is why you have a legitimate petrol receipt for the same day.

Why should you never store the long card number?
You should never store the long card number because by doing so you are protecting yourself from fraud claims. Buy not actually being able to do fraud/use someone else’s bank details, you are not going to be at blame.

What is the best way to protect card holder data?
Don’t store cardholder data unless it’s absolutely necessary.
If you are keeping it, ensure any other companies that have access to the data, are compliant with PCIDSS.
If you’re storing the data online or on a computer, make sure the files are highly encrypted.

Why should you restrict certain personnel from accessing cardholder data?
You should restrict certain people from being able to access cardholder data to protect you (the business owner/manager/director) from being able to be accused of fraud. By only allowing the people that need to have access to the data and are aware of security policies, you protect yourself from any accusations.

How should you store card holder data?
You should store card holder data, if on a computer in an encrypted file. If in a physical form, in a box which is to not be accessible by anyone but the people who need to have access to it. Keep data labelled and traceable.

Why should data be labelled or traceable?
By not knowing where your customers and their card details are, they could be anywhere. You are opening yourself up to risk of data fraud by not having 100% control and knowledge of where your data is.