Oct 14 2008
I don’t know where the saying comes from, but an axiom I use frequently is “They can’t steal what you don’t have”. In other words, it is impossible for someone to steal something from you that don’t have. This is one of the reasons many of us don’t carry any more in our wallets than absolutely necessary when traveling; if I don’t have unnecessary credit and debit cards in my wallet, I won’t lose them if my wallet is stolen or I leave it on the conveyor belt at the TSA check point. The same idea goes for credit cards on your network and in your databases: if you don’t have the data, it can’t be stolen.
Many of the merchants I’ve dealt with keep everything and I do mean everything. I’ve run into systems that have card numbers in their databases that date back to the first time they opened up an e-commerce site in the late 80’s. The majority of the card numbers in these systems have long since expired, but the merchant steadfastly refuses to purge any of the data ‘just in case it might be useful some day’. In most cases, they don’t actually use the stored credit card numbers in any way, shape or form, but they feel the need to have the data just to have the data. After all, we all know data is valuable, and what’s more valuable than a potential customer’s credit card number?
What very few merchants have done is to actually take the time to weigh the potential value of the stored credit card numbers versus the risk they take of being compromised and the cost of properly securing the data on the network. Have you ever asked yourself how much profit you actually make off of the credit card numbers you’re storing in that massive database in the server room? Is the data actually being used right now or is it being stored because that’s what was done when the system was built and it’s the way you’ve always done it? You need to evaluate how much that data’s worth to your company, decide if it’s worth what you’re paying to store it, what you’re paying to secure it and what the potential downsides will be if someone manages to worm their way into your network and steal the data. Heck, what if a backup tape just happens to fall of the back of a DHL truck and you have to report it under one of the several dozen state laws governing data loss?
Once you know what the data’s worth to your company the decisions to keep it all, purge older data or keep nothing becomes much easier. There may be a perfectly valid reason to keep the data, a business reason that’s directly related to profit. More likely, old credit card numbers are useless to your company and you can minimize the amount you’re storing by purging or truncating older card numbers. And in some cases, you really don’t need old card numbers at all and should delete them as soon as possible. Oops, I just heard your marketing department scream when I suggested keeping no credit card data at all. But it’s a serious point of discussion; if you’re not using the data, why are you spending the money to store and protect it in the first place?
Most companies keep credit card numbers for four reasons. The first is that they say they need it ‘just in case’. Things like charge backs or for customer convenience when they return to your site. Charge backs might be a valid concern or they might not; when was the last time someone at your company talked to your acquiring bank and asked what the minimum information needed for a charge back or refund was? I willing to bet the answer is either never or at least not in the 21st century. And as far as customer convenience, that’s another one of the trade-off issues: are the bulk of your customers coming back to the site frequently or are they mainly one-time shoppers? I’ve dealt with companies that stopped storing credit cards numbers for customers and used it as a selling point, explaining to customers they don’t keep credit cards for security reasons. They were surprised at how positive the reaction was to a show of concern for the customer’s security. If you’re customer’s only return every couple of months or never, is it worth the money to save their credit cad information?
The second reason many businesses keep credit card numbers is for the marketing department. This is one I just find confusing. What can the marketing department really do with credit card numbers? Your marketing department shouldn’t ever be viewing the credit card information directly, period. They can use credit card data to make sales, but this is basically the same as keeping it for customer convenience on the web site. They could be using the information for reporting purposes, but again, they should never be using live credit card numbers in reports. I’ve heard of some companies sharing credit card information with third-party marketing companies, but you’d better have an iron clad contract with that third-party so that they take full responsibility for the security of your customer’s credit card information. Not to mention PCI clauses in contracts with your partners is required by the PCI DSS.
The third reason is perhaps the silliest: “That’s the way we’ve always done it.” The assumption is, there was originally a reason everything was saved forever and it was a good reason, so we can’t change now. This is one of the worst phrases you can use when dealing with sensitive information, whether it’s cardholder data or any other type of valuable information. Challenge these assumptions! Find out if there’s really a reason to keep the information or if it’s just being kept because ‘Joe said we needed to when the system was built’. ‘Joe’ left the company five years ago, so why are you still following old guidelines? An corollary to this is the engineers who set up the system kept everything, just because that’s what most engineers do; you keep everything and grep for what you need. That’s great for log files, but not so great for cardholder data. Do yourself a favor and ask your marketing department and web site engineers what they do with the data and if they really have a valid reason for keeping it. You might be surprised at the answer, sometimes they’ll tell you they have no more idea why the information’s being kept than you do.
The final reason is one of the few I can’t argue with: we need it for legal/financial reasons. If your company has specific requirements concerning financial data, that’s the bottom line. But you need to make sure everyone understands the real requirements and isn’t just making assumptions based on incomplete or faulty understanding of the requirements. This is another set of assumptions that needs to be examined and analyzed to make sure there’s not another way to fulfill the same requirement, a way that doesn’t involve storing sensitive information. Of all the reasons to keep credit card numbers, this is probably the only one that can’t be worked around, so work with your accounting and legal departments to find out what’s really the minimum amount of information needed and keep only that.
Many merchants have never examined the information they keep and why. They just keep everything, assuming they need it. They spend the money to secure the data when they don’t have to. Or worse, they don’t spend the money they should and put themselves and their customers at risk. Challenge the assumptions around your stored cardholder data, talk to your marketing department, find out who’s saving the information and why. We’re in tough financial times and if you can save money by not saving credit card numbers and not spending the money on the safeguards that information necessitates, you can be a hero. But you might first have to become the villain who’s pushing other departments to re-examine their assumptions.
One last thought: consider outsourcing your credit card storage and processing, especially if you’re a small to medium business. It might cost you slightly more to have someone else do all the work, but it can also save you money by offloading all of the responsibility of securing the data. Chances are they have a better solution for securing the data than you do and the savings of doing it yourself were only illusionary to begin with; your saving money because you haven’t really secured the data or met the PCI requirements to begin with, not because your data is secure. In other words, you’re only saving money because you haven’t spent the time and money to encrypt your database and implement a web app firewall, not because you can do a better job of securing the data yourself.