Comments on: Why is your company storing credit card numbers?

By: Credit Card

Credit Card — Fri, 30 Apr 2010 08:53:13 +0000

Credit cards aren’t nearly as rewarding as they were even a year ago, when I wrote the first version of this column.
Tough times mean card issuers have gotten stingier with rebates, while points and miles are harder to redeem.
What’s more, issuers have tightened their underwriting standards. That means you need to have FICO credit scores of at least 660 to qualify for most run-of-the-mill rewards cards. You have to have excellent scores — 750 or above — to get the best ones.
********************************************************************
LISA

By: kim

kim — Tue, 19 May 2009 16:22:14 +0000

FYI, when the marketing department says they need the CC info stored, it’s because the customer wants it stored. Many users want to save their CC info so they don’t have to re-enter it every time they come to the site. It’s called “ease of use.” The customer is certainly capable of determining for themselves if they want to store their CC on your system or not. If they don’t want to run the risk, they do not need to allow the information to be stored.

By: Walt

Walt — Tue, 06 Jan 2009 16:56:02 +0000

Interesting to see this thread still running…I think a nerve has been hit.

To answer Matt’s (and Jennifer’s and Kat’s) question, the way to keep cardholder data secure is PCI compliance. It may not be perfect but it is a prescriptive standard (love it or hate it), and it is the way to go.

As for recurring payments and exception items (chargebacks, refunds, etc), you do not need to keep the primary account number (PAN). You acquirer/processor will have programs that allow you to do recurring payments by linking to the original auth; and you can look up the info you need for chargebacks, etc., based on other payment data such as date, time, amount, and last 4 digits of the PAN. Hey…it was the banks’ idea to mandate PCI, so let them have the fun of protecting the data!

There is no need to keep payment card numbers.

By: Sandra Jean

Sandra Jean — Fri, 26 Dec 2008 20:55:35 +0000

I've been using This company for a long time. Due to new Visa/Mastercard laws they increased security to the highest level, and the store owner never has access to the full credit card information. Once it goes to the bank, it is never stored.

By: Kat Myers

Kat Myers — Mon, 08 Dec 2008 20:24:08 +0000

How would a company properly secure credit card information if it was decided that it was necessary to keep the data?

By: Jennifer

Jennifer — Thu, 04 Dec 2008 00:39:53 +0000

So confused.
Martin, my question is similar to Matt’s above. We are a service-oriented company as well.

By: Matt

Matt — Sun, 16 Nov 2008 06:52:31 +0000

You make a good argument concerning why not to store credit card information. I don’t understand why anyone would want to take that risk with no potential for reward. I’ve used many open source shopping carts that store this data in full completely unencrypted. I shudder to think of how many ecommerce sites have my credit card info sitting in an unsecured database even though I never opted to have that information saved.

Do you have any plans to make a more informative post regarding how to keep credit card information safe and retrievable for merchants who do need to keep the information? Service-oriented companies, for example, that charge their customers monthly. In my experience with card processing companies, you cannot charge a card based on previous transaction IDs though I have been able to refund using only the transaction ID.

I’m just beginning to do research into legal requirements (if any) for securely storing card information for a similar case as described above. Sounds like you may have knowledge to share with many of us looking at cost-effective and simple means of keeping card information obfuscated.

By: Untitled 1 | securosis.com

Untitled 1 | securosis.com — Fri, 31 Oct 2008 19:29:11 +0000

[...] Martin asks a simple, and profound question. What the hell are you doing with those credit card numbers in the first place?!? (He used nicer [...]

By: LMC

LMC — Thu, 23 Oct 2008 19:24:59 +0000

How can I report a company who has used my credit card number for additional unauthorized purchases? They keep calling these debits “mistakes” and they credit it back however I was informed that our information would not be used after our initial purchase.

By: Walt Conway

Walt Conway — Tue, 21 Oct 2008 20:48:31 +0000

A specific comment on your 4th reason: “we need it for legal/financial reasons.” I’d like to challenge that, too. Banks and financial institutions are required to keep financial transaction records for varying periods of time (state, fed, industry). But there are no legal requirements that merchants keep transaction records. Now, your acquirer/card processor may ask you to keep the records for a while, but there is no requirement. Understand that. You may agree to do this, but you are not required by any law I’ve ever run into.

On a more general note, I agree completely with the “if you don’t need it, don’t keep it” philosophy. I work with many clients on PCI compliance, and our starting point is always that we will eliminate ALL cardholder data storage on any system or laptop. Period. Other than cases of poorly-designed software apps that retain the data, we are usually successful.