How to Protect Your Ecommerce Customer Credit Card Data
The basics of implementing an SSL Certificate and good data protection practices
With the average cost of online purchases trending at about 20-40% lower than in-store purchases, investing in ecommerce allows small businesses to grow with less start-up capital. There’s no question that the ability to accept online purchases is important to many website owners.
But how can a merchant, particularly a small business owner with fewer resources than a larger company, balance opportunity with liability? While every payment processor will have their own rules you will need to follow, you can learn the basics of how to protect your ecommerce customer credit card data fairly easily.
As with most protection plans, a safe ecommerce site begins with a secure connection between you and your customers.
What’s a SSL Certificate?
A SSL Certificate is used to create a secure connection between the browser on a user’s computer and a server, in this case, your website. An SSL connection protects sensitive data, like credit card information, during a transaction. It can be applied to one or several domains at a time, depending on their intended use.
How Does a SSL Certificate Operate?
When your site user enters an SSL-protected area of your website, a secure, encrypted connection is automatically generated with your user’s browser. This is typically referred to as a SSL “handshake.”
Once the connection has been made, a lock icon and https prefix will appear in your user’s browser bar to denote they’re now on a secure connection and can safely share sensitive information such as their credit card number. Some site owners will opt for a high-assurance Extended Validation, or “EV” Certificate, which utilizes the highest available level of authentication protocols. EV Certificates were developed to increase visitor confidence in a site’s security and the practice of ecommerce at large when online shopping was still a newer, less trusted concept. EV Certificates provide a visible confirmation that the connection is secure—your user’s status bar will turn green.
Why purchase an SSL Certificate?
Most U.S. state laws require that all customer credit card data be encrypted. This liability extends to online merchants as well. When you capture credit card information over the internet, you are not only responsible for providing measures of data security, but card-holder validation as well. An in-store transaction, or a “card present” transaction, gives the merchant multiple strategies for preventing fraud. A cashier in a brick-and-mortar store has the ability to inspect the card being used, ask for customer identification, and require a customer signature. CP transactions are also typically run off of chip-enabled credit cards, which generate a unique code for every purchase. If a merchant follows all these procedures, any liability for CP transaction fraud will reside with the bank that issued the card, and the merchant will not have to pay the customer back.
An online, or “card-not-present” transaction has no such built-in protections. Merchants can’t verify the identity of the person using the credit card, and the purchase is carried out using card numbers instead of a chip. As such, there is far more opportunity for fraudulent activity to take place unchecked, and all liability to repay the consumer remains with the business that accepted the payment.
Good Data Protection Practices Include:
1. Using PCI-compliant hardware and software to process transactions:
The PCI Security Standards Council is an international industry group which develops standards and guidelines for maintaining payment security. A current, searchable database of approved PTS Devices and validated payment applications can be found on the PCI Security Standards Council website.
2. Encrypt all data prior to storage:
There are methods such as cryptographic algorithms that a business can use to protect their database. When in doubt, it is always better to avoid storing your customer’s credit card details. Instead, store their name, billing and shipping address, and contact information, and ask them to fill in their credit card details during every transaction. Alternatively, you can contract with a third party who will store the information for you.
3. Refrain from storing any unnecessary data:
Just to hammer the idea home, it’s better to err on the side of caution and store as little information as possible. Current payment standards allow a merchant to store a customer’s primary account number (PAN), service code, the cardholder name, and the card’s expiration date. Don’t store additional information in the same area, and don’t ask for information that doesn’t serve a legitimate business purpose. Supplementary cardholder details such as their billing address and phone number can typically be stored with basic protective measures, but it is wise to keep that information on a separate database from credit card data.
4. Transmit data over a secured network:
Complete cardholder data should never be transmitted through email. If you want to send your customer a digital receipt that includes their credit card number, or save their credit card to an online account, you need to make sure that only the last four or five digits of the card number are visible, and the card expiration date isn’t shown.
As a general rule, a digital receipt will also include the date of purchase, a description of the goods or services purchased, an invoice number, the city and state the company is registered in, and the name of the company. While receipts always need to be secure and factual first, savvy business owners can also harness a digital receipt to provide targeted marketing opportunities for repeat business.
5. Changing passwords from their default settings, and changing passwords quarterly:
Accessing the customer database of an online merchant is a highly desired goal for hackers—and nowadays, they don’t have to expend much effort to attack your site. Many hackers will set up bots that will constantly hit your site to try to guess your username and password and gain entry. Setting up a firewall and a secure access point are crucial, but something as simple as changing your password every so often will decrease the likelihood that a bot or hacker gets lucky and gains entrance to your information. Make sure not to use anything obvious, like your business name, as they are the first thing a hacker will guess.
6. Minimize access to your data:
Don’t let multiple employees access your database. Agree on an adequate number of approved users, and have procedures in place to deny their access if they terminate employment with you. However, the best data protection practices will also advocate for split knowledge and dual control protocols, wherein the system requires two users to perform a high-level action like data deletion, key creation, or other database management tasks, making it harder for fraudulent activity to occur.
The Big Picture:
Keeping your customer data secure is your responsibility as a business owner, and ignorance of the rules isn’t an excuse. Learning how to protect your ecommerce customer credit card data can be a bit of a process, but you can feel proud knowing you’re doing everything you can to respect your customers’ privacy.