Storing customer credit card information is fast becoming a necessity in today’s economy. Although the days of collecting embossed credit card information with carbon copy paper are long gone, card-on-file or COF has a new meaning.
Much of that comes from the creation of customer accounts for convenient shopping and the explosion of the subscription service business model. Businesses need to retain payment information on file to continue to process period payments. Or to reduce their percentage of abandoned carts by offering one-click payments.
Card on File With Recurring Payments and the Subscription Industry
First, let’s look at subscription services. The subscription economy is already valued at $650 billion, growing 435% over the past decade and on pace to reach $1.5 trillion by 2025. But what exactly are subscription services, and what do they have to do with storing credit card information on file?
Subscription services are just that…a subscription. Customers pay a monthly fee, or sometimes a discounted annual fee. In return, they can access services or receive goods. Entertainment, fitness, eCommerce, ride-sharing, meal delivery, education, and home security (typically related to IoT or the Internet of Things) are just a few consumer-facing models.
Then, of course, there is a whole world of business subscriptions. These payment models have allowed businesses to outsource in-house back-end processes and save on operating fees. That market alone will reach $344 billion by 2024 with a 24% CAGR. Payroll, HR, workflow, IT services, resource management, and customer management are just a few of the products offered by companies like Salesforce, Oracle, IBM, and SAP.
Where is All the Cardholder Data Coming From?
Americans comprise the majority of subscription holders, at 53% of the market share. Europe follows at 21%, then Asia at 14%, followed by the rest of the world lumped together at 12%. And guess who leads the way in terms of age group: millennials. The average millennial has 17 subscriptions, while Baby Boomers and retirees have just 8…which is itself surprising since you’re probably not averse to giving Grandma your Netflix password.
Subscription services are fueling interesting lifestyle shifts that promote convenience and automation. Millennials and their 17 subscriptions are having healthy meals delivered to their door and watching their favorite shows and movies without having to go to Blockbuster. Something they can barely remember existed. Until the scent of popcorn makes them think of bizarre phrases like “be kind, rewind.”
The average monthly spend on subscriptions is over $270, a 15% increase over the past few years. As you might imagine, some of these subscriptions fall through the cracks in the old memory. Around 90% of consumers underestimate how much they are spending on subscriptions. Something that can lead to chargebacks when frustrated and confused consumers try to cancel something they didn’t remember signing up for.
Storing Cards on File Can Also Help Increase Revenue
Even aside from subscriptions, merchants are proactively offering to save card information as part of consumer accounts for easier checkout. From the business standpoint, customer accounts are an opportunity to monitor spending habits and push tailored recommendations. Stored payment information can also facilitate one-click purchases.
According to one study, one-click purchases could increase sales by as much as 35%. This prognosis is borne out by another study that estimates American consumers spend as much as $5,400 annually on impulse purchases.
Consumer response to the offer of saving card information is strong. More than 64% of American cardholders have saved card numbers online or in a mobile app. Around 56% of these consumers have saved their card info with a retailer. 32% have saved it with a mobile payment app. Around 42% of consumers who have saved card info have saved debit cards. This practice can present an additional security concern since it’s tied right to their bank account.
In terms of safety, around 44% of polled consumers feel safe about the choice to have a third party store their card information. But 17% feel that it is most certainly not safe. Let’s take a look at the worst-case scenario such consumers are envisioning.
How Did the Target Data Breach Happen?
The Target Data Breach is now almost a decade behind us. But it still gets a lot of limelight because so many consumers were impacted. The truth of the matter is that the Target data breach is the tip of the iceberg in terms of business continuity disruptions.
Businesses (and governments) are constantly having to fight off cybercrime, creating a sector with a global market value set to surpass $266 billion over the next few years. Much of this cybercrime—successful or attempted—never reaches consumers, making it fly under their proverbial news radars.
Like most large corporations, Target was (and is) well fortified against data breaches. But in a classic David-Goliath matchup, one person was able to hack into epic amounts of consumer data, compromising 40 million customer accounts. Actually, an Odysseus versus the Cyclops might be a more fitting mythological reference, because the method of attack used was a Trojan Horse…much like the wooden horse used by Odysseus and the Greeks.
Slipping past Target’s 300 dedicated full-time cyber-security staff members, a third-party HVAC contractor Fazio Mechanical was the source of the breach. An employee of the Pennsylvania-based HVAC company fell for a phishing email requesting information. Hidden inside the email was a Citadel Trojan Horse, a malicious type of software that entered the data stored by Fazio Mechanical.
And Now On to the Main Show…
Like John Sutter finding a glittering nugget in the waters of the Sacramento River (if we can switch to a Wild West metaphor), these hackers obtained Fazio Mechanical’s login credentials to internal Target systems. With a way into the retail behemoth, the attackers released a second malware that was also fairly prosaic, purchased on the black markets (because…where else can you purchase malicious software to steal things).
This malware went undetected for a few hours into the business day, compiling massive amounts of records that were transferred to the criminals in Eastern Europe. Whether they sat in a smoke-filled underground lair sipping on lattes and stroking handlebar mustaches, we do not know. But it certainly seems fitting.
What we do know is that Target’s security team in Bangalore notified their Minneapolis headquarters. But the red alert went ignored. After all, most Americans probably could not find Bangalore on a map (it’s in India).
The hackers went on to extract data for about two weeks (you read that right) until the Department of Justice started notifying Target about fraudulent charges. The criminals had really hit the mark with this hack. Plenty of internet bloggers in fintech have already joked it’s fitting, given Target’s logo (so we can’t take credit for the originality there).
The Aftermath of the Target Data Breach
The aftermath of the hack was as perhaps as sizable as the sack of Troy. But probably less epic, as no marble, buff, beach-body nudes with spears were involved. Target lost $291 million from the back alone.
All the same, Target’s revenue still topped $73.8 billion that year, making the total financial damage of that hack far below 1% of their income. But the reputational fallout from this hack was significant. Holiday sales plummeted 46%, a season that typically accounts for up to 40% of a retailer’s revenue.
Today, it’s fair to say that Target has likely rebuilt its reputation as the go-to retailer for millennials (and younger) seeking a chic but affordable lifestyle. But hackers can’t stop, won’t stop.
Since the Target breach, Marriott, Twitter, UnderArmor, eBay, Heartland Payment Systems, LinkedIn, and even Myspace (yes, it still exists) were hacked. And in fact, by the number of persons impacted, all of these data breaches were larger than Target.
So what’s the moral of the story with the Target data breach? Are the 17% of polled (aforementioned) consumers who say storing card data is not safe, right?
Is it safe for business owners to keep credit cards on file? Are there safe ways to go about credit card storage? And what are the laws about keeping credit card numbers on file?
Laws About Storing Credit Card Information on File
Any business that engages in retaining financial data must adhere to storing customer credit card information laws. The gold standard in regard to card info stored by merchants is the Payment Card Industry Data Security Standard or PCI DSS. Businesses do not have to adhere to a particular set of practices but may choose from several options.
In a high-level overview, some of those choices include encryption, truncation, tokenization, and hashing (now put your hands on your hips, swivel them, and jump to the side). Encryption basically converts payment to an illegible form.
Truncation removes everything but the first six and last four digits of a card number. Tokenization replaces the number with a random digit or token. Hashing involves creating a sort of one-way, digital fingerprint.
When the information is compliantly stored, companies can retain cardholder names, expiration dates, primary account numbers (or PANs), and service codes stored within magnetic strips. Merchants cannot store the CVV, the PIN number (which only the cardholder should know anyway), and full magnetic stripe data. Regarding that last point, magnetic strips will probably disappear from cards by 2030, so it will be irrelevant in terms of compliance.
Is PCI Compliance Worth It?
The problem with PCI compliance for small to midsize businesses is that it can be time-consuming and expensive. The cost of developing and maintaining an internal Cardholder Data Environment (CDE) may run up to six figures. A PCI audit alone may range from $15,000 to $40,000. Of course, as a business gets larger and stores more data, the cost of meeting and maintaining PCI compliance grows and grows.
The best credit card on file policy for small business owners is to not have one…by which we mean, outsource card on file transactions to someone else. Not just anyone of course, but a payment gateway and processor.
As the purpose of this third party is to help businesses like yours accept credit card payments, they will themselves (by necessity) need to be PCI compliant. This means that they (not you) will shoulder the cost of meeting PCI DSS requirements, saving you tens (or hundreds) of thousands of dollars.
Where Are Data Breaches Coming From?
Now let’s examine where data breaches come from. About 55% come from malicious outsiders, such as those involved in the Target Data Breach. Around 15% come from a malicious insider such as a disgruntled employee or former employee Roughly 4% are state-sponsored (meaning, by foreign governments). Around 15% are attributable to lost items (like a dropped card). Lastly, about 1% are attributable to hacktivists.
If you’re wondering what a hacktivist is, it’s someone who really cares about the environment or humanitarian concerns and may attempt to damage or hold companies ransom with malware so that they perform specific actions.
A few significant facts can be gleaned from these findings. One is that a substantial amount of data breaches are attributable to lost items. Another is that your business must defend sensitive information like card-on-file payments from malicious outsiders.
Another is that you cannot always trust your human capital (sadly). And lastly, some people are just intensely passionate about endangered species or world hunger. They believe that hacking into businesses will solve those problems (it hasn’t seemed to work yet, but they’re optimistic).
The Best Solution for Card on File Payments
As mentioned, your best bet in terms of keeping payment details secure is to let the servicer of your merchant account handle it. Card on File or COF transactions are simply not cost-effective pieces of information for most businesses to store and manage.
For businesses that keep card details for recurring payments, there is not much point in building an elaborate, compliant storage ecosystem to retain card information. So that means turning to a payment processor.
But there are some best practices you can still adhere to. Which not only cover credit card theft, but identity theft as well. And as identity theft can be a significant stepping stone to other material financial crimes, you do not want to be implicated in the chain of events that lead to their fruition. Therefore, adhering to some of these best practices will go a long way.
Never Take Notes
Never process a credit card by writing down card numbers. It can be easy to fall into this trap when taking orders over the phone. Your best bet is to direct customers to an online payment method. But you may feel that will create a negative customer experience. Especially at times when the customer cannot access your site.
When you auditorily collect numbers, do not scribble them down. All it takes is one employee to come along and take this paper, or snap a photo of it on their phone. You should also make sure your employees are not permitted to write card information down. Even if the employee themselves is well-intentioned, they may lose the slip of paper, or have the information stolen by a less scrupulous employee.
While we’re on the topic, avoid exposure of your own business or corporate cards to employees beyond those you trust. You never know when someone is going to buy $6 million in Apple products, allocate $4.1 million to fund their own rap career, $700,000 on travel and massages (sounds like a good combo), or even just rent a $3,000 popcorn machine.
Skimmer, Strips, and Chips
In this vein of thought, certain businesses have more exposure to potential theft than others. In restaurant settings, employees often take cards away from customers for several minutes in order to run a charge.
Of course, the card information from these transactions is not retained on file. However, numerous restaurants have seen significant amounts of customer data compromised, particularly by card skimmers. For instance, around 15% of Checker’s restaurants were hit by card skimmers, compromising customer data.
Skimming is a process where criminals will install a device on a POS that can read card information off a magnetic strip. This information is then collected and stored to make fraudulent purchases. As mentioned, card companies will eliminate magnetic strips from cards in the near future. And the EMV chips that are in the latest cards use one-time encryptions and tokenization to obscure payment data.
However, if there’s one group of people that is more creative than artists, musicians, and writers, it’s criminals. They have already come up with schemes to foil the EMV chip by creating cards with fake chips, saying that the chip is broken, and requesting to make magnetic swipes.
It seems likely that the disappearance of the magnetic strip will inspire new brushstrokes on the collective canvas of identity theft, and we (not eagerly) await the bold compositions that credit card criminals have in the scopes of their inspiration.
Though you cannot control how your customers protect their personal card information, it brings us to what is (perhaps) the ultimate level of consumer security, biometrics. In the near future, it is possible that payment will be made by biological scans of eyes, fingerprints, or other body parts (we’re talking faces here, people) instead of cards. This biometric data would need to be tied into a seemingly invasive data pool on personalized data, and how exactly this would fit into the payment landscape, awaits to be seen.
Be Careful About Who Has Access to the Payment Gateway Dashboard
But returning to our business security concerns, you should also be careful about who you provide login credentials for sensitive internal systems, whether it’s your payment gateway dashboard or even customer relationship management software.
One way to prevent unwanted parties from entering the sacred realms of sensitive data is 2FA. Two-factor authentication brings security beyond password protection. It requires the party trying to access the data to validate themselves some other way. For instance, by having a code sent to their phone.
Eliminate Irrelevant Data
Yet another aspect of keeping data secure is eliminating irrelevant data. There is no reason to store sensitive customer information for customers who have already churned out of your subscription model. Or is there? Certainly, retention is a valuable business concern, but marketing data is a different story than sensitive financial information.
Retaining the emails of previous customers to send them periodic please-come-back emails is much different than saving their card numbers. A proactive step you can take is to eliminate irrelevant customer data from your data landscape. That may include speaking with your payment processor about their policy for storing the data of customers who have churned.
So is it safe to store cards on file? Absolutely, if done the right way.
And the right way is to let a payment provider take care of that for you. This will allow you to outsource the cost of PCI compliance and cyber-security to the threat team of the payment processor. However, as mentioned, there are still proactive steps you can take to keep customer information secure.
Storing Credit Cards on File is Often Necessary
When done correctly, keeping credit card information on file helps facilitate your cash flow. In terms of customer account creation, one-click shopping improves your abandoned cart ratio and results in more sales, both from the convenience of the checkout process and the power of impulse purchasing. Then, of course, there are subscription services, which absolutely need to keep card information on file.
Either way, you will want to work with a payment processor that is transparent about its security and data storage process. Unfortunately, large aggregators like PayPal or Square are notoriously NOT transparent and may respond to security breaches by locking you out of taking payments. A better bet for most business owners is to work with a payment processor that is not an enormous payment aggregator
In addition to facilitating one-off credit, debit, and ACH payments, we provide a range of other business services including compliant card-on-file storage. We work with businesses of all types and are responsively involved in helping customers run their businesses.
With fee structures that can be tailored to your business model, we can help you process payments and store customer information in a safe and compliant way. Give us a call or contact us through our website to learn more about how we can help you safely keep customer credit cards on file.