It’s hard to believe – especially in today’s digital age – but for some merchants, storing credit card information on paper is a common process.
A customer may call in an order while the sales rep isn’t at their computer, so the rep writes the payment info on a post-it note to enter when they’re back at their desk. Or, a trade show team doesn’t have a remote processing terminal, so they add their customers’ payment data to their paper-based order forms to process back at the office. These (and other similar) scenarios are surprisingly common – especially among merchants who think a better approach is too complicated or that they’ll never be targeted in an attack – but they leave sensitive data open to unauthorized access.
When credit card data is stored in tangible, physical, or “hard copy” format, it is easier for it to get misplaced, lost, or fall into the wrong hands. Even if it’s locked away in a secured filing cabinet, it’s impossible to track who is accessing it – and when – and that copies aren’t being made for unauthorized use.
Is Storing Credit Card Data on Paper PCI-Compliant?
Storing credit card data on paper can technically be PCI-compliant. However, because of the risky nature of storing credit card information on paper, PCI compliance requirements for merchants who use this method are fairly complicated. For instance, paper media that contains cardholder data must be physically secured with strict controls for internal and external distribution; management approval must be obtained before these documents are moved; storage containers must be secured; and hard copy materials must be destroyed in a way that prevents cardholder data from being physically reconstructed.
Failing to comply with PCI standards can lead to fines and non-compliance penalties; in some cases, merchants may even risk losing their merchant account. If a data breach successfully exposes customer information, the repercussions can cost far more than investing in more robust security ever would have.
Why Payment Tokens are a Faster, More Secure Way of Keeping Credit Card Data on File
Most merchants who store credit card data on paper do so because it’s easy. However, modern payment processing solutions don’t require end users to be particularly tech savvy; most – once implemented – require little more than basic data entry. In many cases, they allow workers to process orders more quickly than they would with a paper-based approach – and they also bring a number of security benefits with them.
Tokenization lets you process recurring charges or refunds WITHOUT having to manually enter the card number, CVV, and zip code each time. The token is a series of unique, random characters that can’t be unencrypted and don’t have anything to do with the original card number. Your system references the token and you don’t have to store the corresponding data – whether in paper-based or in digital format – which means any potential breach of your system wouldn’t result in the data being exposed.
Think about remote tokenization in this way: if something of value is locked up in a vault, a hacker could potentially access it at any time. However, if you replace that item of value with a worthless replica, any hacker that breaks into that vault will not find the valuable goods. This keeps your valuables – in this instance, your customers’ credit card numbers – safe and secure.
Discover a Better Alternative to Storing Cardholder Data on Paper
If you’re still storing your customers’ card data on paper, Curbstone can help you implement a more secure payment processing system that accommodates all the ways you do business. Our payment tokens let you run recurring charges and issue refunds without storing full credit card data on your system, potentially even reducing the scope of your PCI compliance audit. To learn more, contact us here.
