Oct 14 2008

Why is your company storing credit card numbers?

Published by at 5:58 am under PCI

I don’t know where the saying comes from, but an axiom I use frequently is “They can’t steal what you don’t have”.  In other words, it is impossible for someone to steal something from you that don’t have.  This is one of the reasons many of us don’t carry any more in our wallets than absolutely necessary when traveling; if I don’t have unnecessary credit and debit cards in my wallet, I won’t lose them if my wallet is stolen or I leave it on the conveyor belt at the TSA check point. The same idea goes for credit cards on your network and in your databases:  if you don’t have the data, it can’t be stolen.

Many of the merchants I’ve dealt with keep everything and I do mean everything.  I’ve run into systems that have card numbers in their databases that date back to the first time they opened up an e-commerce site in the late 80’s.  The majority of the card numbers in these systems have long since expired, but the merchant steadfastly refuses to purge any of the data ‘just in case it might be useful some day’.  In most cases, they don’t actually use the stored credit card numbers in any way, shape or form, but they feel the need to have the data just to have the data.  After all, we all know data is valuable, and what’s more valuable than a potential customer’s credit card number?

What very few merchants have done is to actually take the time to weigh the potential value of the stored credit card numbers versus the risk they take of being compromised and the cost of properly securing the data on the network.  Have you ever asked yourself how much profit you actually make off of the credit card numbers you’re storing in that massive database in the server room?  Is the data actually being used right now or is it being stored because that’s what was done when the system was built and it’s the way you’ve always done it?  You need to evaluate how much that data’s worth to your company, decide if it’s worth what you’re paying to store it, what you’re paying to secure it and what the potential downsides will be if someone manages to worm their way into your network and steal the data.  Heck, what if a backup tape just happens to fall of the back of a DHL truck and you have to report it under one of the several dozen state laws governing data loss?

Once you know what the data’s worth to your company the decisions to keep it all, purge older data or keep nothing becomes much easier.  There may be a perfectly valid reason to keep the data, a business reason that’s directly related to profit.  More likely, old credit card numbers are useless to your company and you can minimize the amount you’re storing by purging or truncating older card numbers.  And in some cases, you really don’t need old card numbers at all and should delete them as soon as possible.  Oops, I just heard your marketing department scream when I suggested keeping no credit card data at all.  But it’s a serious point of discussion; if you’re not using the data, why are you spending the money to store and protect it in the first place?

Most companies keep credit card numbers for four reasons.  The first is that they say they need it ‘just in case’.  Things like charge backs or for customer convenience when they return to your site.  Charge backs might be a valid concern or they might not; when was the last time someone at your company talked to your acquiring bank and asked what the minimum information needed for a charge back or refund was?  I willing to bet the answer is either never or at least not in the 21st century.  And as far as customer convenience, that’s another one of the trade-off issues: are the bulk of your customers coming back to the site frequently or are they mainly one-time shoppers?  I’ve dealt with companies that stopped storing credit cards numbers for customers and used it as a selling point, explaining to customers they don’t keep credit cards for security reasons.  They were surprised at how positive the reaction was to a show of concern for the customer’s security.  If you’re customer’s only return every couple of months or never, is it worth the money to save their credit cad information? 

The second reason many businesses keep credit card numbers is for the marketing department.  This is one I just find confusing.  What can the marketing department really do with credit card numbers?  Your marketing department shouldn’t ever be viewing the credit card information directly, period.  They can use credit card data to make sales, but this is basically the same as keeping it for customer convenience on the web site.  They could be using the information for reporting purposes, but again, they should never be using live credit card numbers in reports.  I’ve heard of some companies sharing credit card information with third-party marketing companies, but you’d better have an iron clad contract with that third-party so that they take full responsibility for the security of your customer’s credit card information.  Not to mention PCI clauses in contracts with your partners is required by the PCI DSS.

The third reason is perhaps the silliest:  “That’s the way we’ve always done it.”  The assumption is, there was originally a reason everything was saved forever and it was a good reason, so we can’t change now.  This is one of the worst phrases you can use when dealing with sensitive information, whether it’s cardholder data or any other type of valuable information.  Challenge these assumptions!  Find out if there’s really a reason to keep the information or if it’s just being kept because ‘Joe said we needed to when the system was built’.  ‘Joe’ left the company five years ago, so why are you still following old guidelines?  An corollary to this is the engineers who set up the system kept everything, just because that’s what most engineers do; you keep everything and grep for what you need.  That’s great for log files, but not so great for cardholder data.  Do yourself a favor and ask your marketing department and web site engineers what they do with the data and if they really have a valid reason for keeping it.  You might be surprised at the answer, sometimes they’ll tell you they have no more idea why the information’s being kept than you do.

The final reason is one of the few I can’t argue with:  we need it for legal/financial reasons.  If your company has specific requirements concerning financial data, that’s the bottom line.  But you need to make sure everyone understands the real requirements and isn’t just making assumptions based on incomplete or faulty understanding of the requirements.  This is another set of assumptions that needs to be examined and analyzed to make sure there’s not another way to fulfill the same requirement, a way that doesn’t involve storing sensitive information.  Of all the reasons to keep credit card numbers, this is probably the only one that can’t be worked around, so work with your accounting and legal departments to find out what’s really the minimum amount of information needed and keep only that.

Many merchants have never examined the information they keep and why.  They just keep everything, assuming they need it.  They spend the money to secure the data when they don’t have to.  Or worse, they don’t spend the money they should and put themselves and their customers at risk.  Challenge the assumptions around your stored cardholder data, talk to your marketing department, find out who’s saving the information and why.  We’re in tough financial times and if you can save money by not saving credit card numbers and not spending the money on the safeguards that information necessitates, you can be a hero.  But you might first have to become the villain who’s pushing other departments to re-examine their assumptions.

One last thought:  consider outsourcing your credit card storage and processing, especially if you’re a small to medium business.  It might cost you slightly more to have someone else do all the work, but it can also save you money by offloading all of the responsibility of securing the data.  Chances are they have a better solution for securing the data than you do and the savings of doing it yourself were only illusionary to begin with; your saving money because you haven’t really secured the data or met the PCI requirements to begin with, not because your data is secure.  In other words, you’re only saving money because you haven’t spent the time and money to encrypt your database and implement a web app firewall, not because you can do a better job of securing the data yourself.

Update:  I was looking at the PCI Council site and found a link to a similar article from the Wall Street Journal

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

21 responses so far

21 Responses to “Why is your company storing credit card numbers?”

  1. Joe Franscellaon 14 Oct 2008 at 6:22 am

    I have accounts with some online retailers and bill pay sites that have cc numbers stored for the purposes of regular purchases and monthly payments, is that a bad idea to alow a merchant to store the number for those reasons?

  2. Martinon 14 Oct 2008 at 6:29 am

    That’s a call you have to make, Joe. Is the convenience offered by these services worth the risk that they might not be securely storing your data? The problem is, most merchants and most customers never examine the risk to reward ratio, they just offer up their CCN without hesitation.

    For what it’s worth, I have my card numbers stored on a few merchant sites, but it’s rare. But I’ve done the math and I think Amazon can be trusted, at least for now.

    Martin

  3. Joanneon 14 Oct 2008 at 11:23 am

    My simple suggestion is get rid of your credit cards COMPLETELY. Most of my problems were due to my credit cards and my infatuation with using them to buy shoes.

  4. […] Martin writes a great post titled: Why is your company storing credit card numbers? […]

  5. Martin (not that Martin - a different Martin)on 14 Oct 2008 at 12:41 pm

    OK, I get the whole keep my identity to myself and getting things fixed after someone steals your credit card numbers is a pain …BUT….

    I am of the opinion that things like PCI and, to a related degree, things like the “FreeCreditReport.com” (and I know that the doggone jingle is running through your head now…) are part of marketing plan that tries to transfer the risk of stolen credit card data downstream to the merchant and then to the cardholder i- f only psychologically. The truth of the matter is that I’m not liable for what’s done by a thief with my card. Neither, I would suspect, are you. The risk for unauthorized transactions falls on the banks…not me. (For the moment we shall ignore the greater social consequences of theft and how all of us, in the end, pay for it through higher fees and charges.)

    So the credit card companies are transferring risk to the banks and the banks are transferring it to the merchants and the merchants would love dearly to transfer it to us.

    I think that as long as I take reasonable precautions I’ll be fine and I’ll let the various merchants take the risk of keeping my card data…

  6. Martinon 14 Oct 2008 at 4:08 pm

    Martin,

    The risk has been with the merchant almost since the beginning of credit cards themselves. There was a time that the CC companies would push the risk off on the consumer, but they realized it was bad marketing. The CC companies allowed the consumer protection laws that limit our liability to $50 to be passed simply because it increased consumer confidence. However, merchants don’t have much power in this equation, which is why they get the short end of the stick in the whole thing.

    This post was about why are merchants storing credit card numbers (CCN) when they don’t really need them. And the answer is usually because they think they’ll need the CCN for something, even if they don’t know what that something is. That’s something the merchant has total control over, they just never make use of it. This is a risk the merchant has to evaluate and it has nothing to do with our risks as consumers.

    Martin

  7. Manishon 15 Oct 2008 at 5:30 am

    Folks,

    The card fraud risk / liability is borne by the merchant and the issuer of the card. Unfortunately, merchants cannot get away from not storing the card information within their systems for reasons such as customer service, charge back processing, refunds / reversals and settlement and reconciliation.

    Manish

  8. Martinon 15 Oct 2008 at 5:45 am

    Manish,

    You might want to double-check how much information is really needed for charge back processing and the like. It depends, at least in part, on who your acquiring bank is. Some of them are now making it easier to give refunds etc without the card number, as long as the merchant has a transaction ID. This is something I’m hoping we’ll see more and more banks doing, further enabling merchants to do away with long term storage of credit cards.

    If nothing else, merchants should pay attention to their own data retention policies and refund policies. Once the refund policy time has been exceeded you have another good point to purge the data from the database. One less excuse to keep the information ad infinitum.

    Martin

  9. Friday Summary 10-17-08 | securosis.comon 17 Oct 2008 at 11:06 am

    […] Adrian: Over on the Network Security Blog, Martin has an excellent post on a topic that should get far more attention than it does: Why Is Your Company Storing Credit Card Numbers? […]

  10. Walt Conwayon 21 Oct 2008 at 8:31 am

    Thanks for the thoughtful post and good advice. I posted a link to it at my own PCI blog: http://treasuryinstitute.org/blog/index.php?itemid=187

  11. Steveon 21 Oct 2008 at 11:08 am

    I know a lot of companies these days are only storing the last 4 of the card number. Which is really only what you need to verification purposes.
    —-
    Spy Shop
    http://www.BunkerSpy.com

  12. Walt Conwayon 21 Oct 2008 at 12:48 pm

    A specific comment on your 4th reason: “we need it for legal/financial reasons.” I’d like to challenge that, too. Banks and financial institutions are required to keep financial transaction records for varying periods of time (state, fed, industry). But there are no legal requirements that merchants keep transaction records. Now, your acquirer/card processor may ask you to keep the records for a while, but there is no requirement. Understand that. You may agree to do this, but you are not required by any law I’ve ever run into.

    On a more general note, I agree completely with the “if you don’t need it, don’t keep it” philosophy. I work with many clients on PCI compliance, and our starting point is always that we will eliminate ALL cardholder data storage on any system or laptop. Period. Other than cases of poorly-designed software apps that retain the data, we are usually successful.

  13. LMCon 23 Oct 2008 at 11:24 am

    How can I report a company who has used my credit card number for additional unauthorized purchases? They keep calling these debits “mistakes” and they credit it back however I was informed that our information would not be used after our initial purchase.

  14. Untitled 1 | securosis.comon 31 Oct 2008 at 11:29 am

    […] Martin asks a simple, and profound question. What the hell are you doing with those credit card numbers in the first place?!? (He used nicer […]

  15. Matton 15 Nov 2008 at 10:52 pm

    You make a good argument concerning why not to store credit card information. I don’t understand why anyone would want to take that risk with no potential for reward. I’ve used many open source shopping carts that store this data in full completely unencrypted. I shudder to think of how many ecommerce sites have my credit card info sitting in an unsecured database even though I never opted to have that information saved.

    Do you have any plans to make a more informative post regarding how to keep credit card information safe and retrievable for merchants who do need to keep the information? Service-oriented companies, for example, that charge their customers monthly. In my experience with card processing companies, you cannot charge a card based on previous transaction IDs though I have been able to refund using only the transaction ID.

    I’m just beginning to do research into legal requirements (if any) for securely storing card information for a similar case as described above. Sounds like you may have knowledge to share with many of us looking at cost-effective and simple means of keeping card information obfuscated.

  16. Jenniferon 03 Dec 2008 at 4:39 pm

    So confused.
    Martin, my question is similar to Matt’s above. We are a service-oriented company as well.

  17. Kat Myerson 08 Dec 2008 at 12:24 pm

    How would a company properly secure credit card information if it was decided that it was necessary to keep the data?

  18. Sandra Jeanon 26 Dec 2008 at 12:55 pm

    I’ve been using This company for a long time. Due to new Visa/Mastercard laws they increased security to the highest level, and the store owner never has access to the full credit card information. Once it goes to the bank, it is never stored.

  19. Walton 06 Jan 2009 at 8:56 am

    Interesting to see this thread still running…I think a nerve has been hit.

    To answer Matt’s (and Jennifer’s and Kat’s) question, the way to keep cardholder data secure is PCI compliance. It may not be perfect but it is a prescriptive standard (love it or hate it), and it is the way to go.

    As for recurring payments and exception items (chargebacks, refunds, etc), you do not need to keep the primary account number (PAN). You acquirer/processor will have programs that allow you to do recurring payments by linking to the original auth; and you can look up the info you need for chargebacks, etc., based on other payment data such as date, time, amount, and last 4 digits of the PAN. Hey…it was the banks’ idea to mandate PCI, so let them have the fun of protecting the data!

    There is no need to keep payment card numbers.

  20. kimon 19 May 2009 at 8:22 am

    FYI, when the marketing department says they need the CC info stored, it’s because the customer wants it stored. Many users want to save their CC info so they don’t have to re-enter it every time they come to the site. It’s called “ease of use.” The customer is certainly capable of determining for themselves if they want to store their CC on your system or not. If they don’t want to run the risk, they do not need to allow the information to be stored.

  21. Robert3012on 03 Sep 2014 at 7:23 pm

    It’s not difficult for businesses after capturing the CC data at point of sale to process it, i.e. submit it to the issuing bank for payment, then encrypting the number to DOD or the higher levels of RSA standards. This can be done in a matter of moments. They can keep all the other relevant data, customer name, address, transaction number, date and time, register number, etc in the clear if they so desire and even keep the CC Data in a separate encrypted Database that is linked to the Customer Data by a key number. The problem is usually that these businesses have older, somewhat antiquated Data Processing Systems and or Software that has been modified, patched and altered numerous times over the years because that’s cheaper than having a new from the ground up custom written software that addresses current issues. It’s always about the bottom line, not what should be done. It’s only after they get breached and the legal sharks attack and they wind up paying huge judgment that they all of a sudden decide that new software is needed. In the end it costs them far more than if they had been proactive instead of reactive. As far as keeping for marketing purposes, they have no need whatsoever for the CC Numbers. All they need is demographics, where does the customer live, how much did they buy, have they bought from us before, how often, was it a debit card, charge card, visa or MC, etc, etc. If they are selling the information to other businesses, then where is my payment for my information? Every time they sell my info I should receive a check, period!

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: