Protecting Cardholder Data Is Good Business
It's all about trust: When customers hand you their credit or debit card or provide their account information, they expect you to safeguard that sensitive data.
Keeping that trust is not only essential for fraud protection -- it's just good business. As you take steps to protect cardholder data, keep these tips in mind:
Keep only what is needed.
Don't store any cardholder data that is not needed to run your business. For example, never store full-track magnetic stripe data, PIN block data and CVV2 once a transaction has been authorized. Under the Payment Card Industry Data Security Standard (PCI DSS), only the account number, expiration date and cardholder name can be stored.
Physically secure printed data.
It's not just electronic data that's vulnerable to thieves. Make sure you securely store any paper receipts, orders, invoices and other printed material that contain the cardholder's full account number. When those records are no longer needed, destroy them in a secure manner (e.g., shredding). Establishing a basic data retention and destruction policy can provide guidance and ensure that you are regularly purging data.
Make sure that any outsiders with access to your business computers (like IT vendors who may connect remotely) are protecting customer data they have access to. Further, consider allowing remote access to your IT system only during scheduled maintenance times, and be sure to disable remote access features when they are not in use.
Maintain a secure network.
If you use a computer to handle cardholder data, make sure you install and maintain a firewall configuration to protect the data. Use (and regularly update) anti-virus software and avoid using this computer for non-business purposes (like surfing the web or accessing web-based personal e-mail accounts).