Storing Credit Card Details

[Alan @ Clyde Resources]

Hi there

I provide a a range of different services for small businesses. To enable us to get paid quicker and on time, and also to reduce admin, I am asking our customers when they sign up to register a credit card. We then provide them with a monthly invoice on the 1st of each month and credit their card a few days later.

I have the customers permission to do this, however someone has advised that I should not be storing my customers credit card details, even though I have their consent.

Could someone please advise if this is the case?

 

[wizzard]

I would talk to someone else. Of course you can store credit card details if they're properly encrypted. Just wondering if you'd have to register under the Data Protection Act though?

 

[14Steve14]

If i was you i would visit the visa card site, or it may be the mastercard site, and read up on PCI compliance. I dont think you are able to store complete card details unless you comply.

 

[MASSEY]

Its the same as shopping really isnt it, i have card details stored on the tesco site so when i order i can just push order.

If you are getting consent im sure its fine. But if you intend to have a little black book stored in your draw with people address and card details then there will be a problem like suggested you will need to encrypt.

 

[Faevilangel]

You need to comply with the data protection act, and be pci compliant. Your server needs to be dedicated as well.

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

From http://www.pcicomplianceguide.org/


As you store the details then charge the card, you need to be compliant.

 

[David Richards]

I have the customers permission to do this, however someone has advised that I should not be storing my customers credit card details, even though I have their consent.

As others have said - definitely not.. unless you comply with the strict rules of PCI-DSS. Big organisations (such as Tesco) can do this as they have invested a lot of money in the systems and processes to keep the card data secure - that's not so easy for a small business to achieve.
If you use a payment gateway, you may find that they offer services to help you. They can store the data securely so you may be able to do repeat payments, without you needing to access or enter your customers' card details every time.

Alternatively why not consider direct debit?

 

[David Richards]

I forgot to add this in my earlier post...

You need to sort this out quickly. At the moment you are leaving yourself open to unlimited penalties from the card companies (any fraud and you will be liable for the full amount) and/or being not being allowed to accept cards at all in the future.

 

[Alan @ Clyde Resources]

Thanks for the reply's.

I am currently with Sage pay, does anyone know if this offers any facilities to store card details securely.

The reason I chose to take credit card details was simply down to cost, I thought taking direct debits was costly to set-up?

 

[Alan @ Clyde Resources]

I have actually checked with my accounts department and we are PCI compliant.

 

[David Richards]

I am currently with Sage pay, does anyone know if this offers any facilities to store card details securely.

Yes, they can do that if you have a 'Continuous Authority Internet Merchant Number'. Rather than copy all the info here, visit the Sage Pay help centre and search for Continuous Authority.

 

[David Richards]

I have actually checked with my accounts department and we are PCI compliant.

There are different levels of PCI compliance. For example your payment services provider (Sage Pay) is level 1 PCI-DSS compliant. You will probably only need to achieve level 4 compliance - and you will quickly lose that status if the card companies find out you are storing card numbers, expiry dates and CV2 numbers.

 

[Joe_SagePay]

Hi Alan,

Storing any card details will require you to meet additional PCI DSS compliancy standards and further audits by your QSA (Qualified Security Assessor). There are alternative to help you achieve what you wish to do without having to store any card details.

One option will be to use the continuous authority method which is designed for recurring payments (such as memberships and subscriptions) where you are able to repeat the original transaction each month. This method doesn't require you to store any card details as the sensitive card details will be stored on our level 1 PCI compliant servers. You simply send a repeat payment registration after the initial registration each month to take payments. Using this option will require you to set up and gain permission from your merchant account provider.

The other option will be to use a form of Payment Tokenisation, such as our recently developed Token System. This is ideal for what you are currently doing/wishing to do which will allow your customers to register their card details with you yet remove the risk of having to actually store the card details. The Token system will convert the card number into a randomly generated 'Token' and return this back to you for you to store within your database. Then each month when you wish to take a payment, you simply send this 'Token', in place of the card detail, to obtain authorisation. Not only does this provide the same experience as storing the card number but it also provides an immediate checkout process similar to what some of the large online retailers offer but without the risk, cost or hassle.

Hope this makes sense and if you need any further information, email us on [email protected].

Cheers
Joe