Storing Credit Card Information Online

Mastercard and Visa have recently come out with new security rules for the storage of customers credit card information. How does this affect your online business?

If you have a web site that sells products and your own payment gateway and merchant account then you have a choice to store the credit card information on your own web server or at your payment gateway.

Storing the information on your own server has the advantage of allowing returning customers a quick way to check out without having to reenter all of their information every time.

It’s also an advantage for membership sites. Some membership software can store the information on your server to better allow the subscriber to make changes to their account and allow recurring billing without using a special payment gateway. The software keeps track of the subscription and submits a ‘one-time’ purchase on a regular schedule. It also automatically handles cancellations.

BUT, with the new rules called the Payment Card Industry Data Security Standard, generally referred to as PCI compliance, you have to jump through a bunch of hoops to meet their standards (a good summary can be found here).

Just using less than 20,000 credit card transactions a year requires you to conduct an “Annual PCI Self-Assessment Questionnaire” and “Quarterly Network Scan” by an outside, accredited agency. It means you have to worry about server and database security on your web site, a site that you may have no control over.

I couldn’t find any prices online – only “contact us for pricing” at most sites, but then I came across a PCI compliance product from Comodo called Hacker Guardian that does quarterly scans for $249/year.

The Solution

In the past you generally had two options at checkout. Keep your customers on your web site and pass all the relevant info to the payment gateway or have the customer go to the payment gateway to check out.

Payment gateway providers are responding to these new rules with new solutions. For instance, Authorize.net has a new option called Customer Information Manager (CIM). The CIM interface stores all of the customer data on their PCI compliant server and gives you a Customer ID number to access the data. It also handles recurring billing.

It may take awhile for shopping carts to integrate with the new gateways. Having it done by a programmer may cost you $200 – $300.

The thing to keep in mind is to refrain from storing credit card information on your web server if you can avoid it.