Can We Securely Store Card Data for Recurring Billing?

Should your business store cardholder data?

While the PCI DSS discourages businesses from storing credit card data, many feel the practice is necessary in order to facilitate recurring payments. Here are a few of the related questions we’ve recently received:

Question:

We store credit card info (number & expiration) to run on our terminal in house for monthly billing reasons for customers. We store these numbers in a card index file. Is this compliant?

Answer:

We are considering storing customer card details including the security code on the signature strip. We would not use these details unless the customers do not show up for a large reservation booked. Once the reservation is over the details would be deleted. It would only be stored on a password protected document and only accessed by people who need to access it. Can we do this?

Question:

What are the requirements for storing credit cards received by mail? Particularly when this is an authorization for a recurring transaction.

Answer:

If you’re storing the data via hard copy, you’ll need to review and follow PCI DSS Requirement 9. In order for the electronic storage of cardholder data to be PCI compliant, appropriate encryption must be applied to the PAN (primary account number). In this situation, the numbers in the electronic file should be encrypted (either at the column level, file level or disk level).

Understanding the Importance of Security Testing

Additionally, all other PCI controls would apply to the environment in which the cardholder data is transmitted and stored. This includes, but is not limited to, appropriate access control, network security parameters, physical security parameters and periodic security testing, such as penetration testing and vulnerability scanning.

Alternatively, tokenization can be implemented for recurring and/or delayed transactions to help reduce or eliminate the need for electronically stored cardholder data while still maintaining current business processes. Again, the best thing you can do for your business is to not store any cardholder data or personally identifiable information (PII) at all.

Contact the VikingCloud team for more information on ensuring your organization is PCI compliant.