Data breaches, identity theft, and credit card fraud are common crimes in the digital world. Merchants need to learn how to properly protect credit card information online.

During the third quarter of 2022 alone, approximately 108.9 million accounts suffered exposure to worldwide data breaches. This is a 70% increase from the previous quarter. The United States is among the top 5 countries affected. Alongside Spain, Russia, France, and Indonesia.

Furthermore, a total of 603,591 identity theft cases were also reported in 2022. Research further revealed that credit card information leaked accounted for more than one-third of these cases.

With such staggering numbers of cybercrime, consumers have every right to be wary of entering their payment information online. It is a merchant’s responsibility to subside such worries and build trust with their clients for seamless secure online payments.

Credit Card Encryption: Best Practices For Protecting Credit Card Data

If your eCommerce site does not have the necessary security to protect cardholder data, chances are, your customers will favor a more secure business.

There are 4 main reasons why merchants should consider improving their online data security:

  • Provide peace of mind
  • Improve Tru
  • Increase sales
  • Protect yourself from liability & unnecessary fees

Keeping that in mind, the below methods can help answer your questions about credit card payment protection online.

Secure Sockets Layer (SSL)/ Transport Layer Security (TLS)

Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) is an encryption-based internet security system. Its purpose is to protect communication between web devices. Ensuring privacy and data integrity in online communications. TLS is the modern-day successor to its earlier version, SSL.

When a website is hosting TLS security, the URL will read HTTPS rather than HTTP. The “S” at the end stands for secure. Additionally, the website might also contain a green shield or lock next to the URL.

Infographic showing secure socket layers (SSL) and Transport Layer Security (TLS)

How Does a Merchant Enable TLS on Their Website?

Web hosting providers sell TLS. Once a merchant purchases it, they receive a certificate of authority. Upon redeeming this certificate, a website is officially using TLS security.

How Does TLS Work to Protect Credit Card Data?

1. Website Authentication

The TLS authentication process ensures that both devices in the communication are who they claim to be. If a customer is wondering how to check if a website is safe, they can rely on the green secure logo on the URL. If there’s no green shield or lock, then the customer knows the site could be unsafe.

2. Verifies Website Trustworthiness

TLS digitally signs data. Providing verified data integrity. Meaning, the data is not tampered with before it reaches its intended recipient. With these benefits in mind, customers who see a secure certificate on a merchant site are more likely to find it more trustworthy. Customers who have peace of mind in their online browsing are more encouraged to enter their full credit card information online. Trusting they are making a secure transaction.

3. Credit Card Data Encryption

Data encryption provides a high level of privacy, credit card users want for secure payments online. Encryption takes credit card info and mixes it up with random characters.

TLS-certified websites then perform a virtual “handshake” between the browser and the server. This determines a key to unlock encrypted information.

Because encrypted data is in code, it is nearly impossible for hackers to decipher the information. Which makes a customer’s credit card safe and secure for online shopping.

Woman making a purchase on a smartphone holding a credit card

Credit Card Information Tokenization

When you are charging a credit card on file, tokenization is the method used to protect stored customer card data. It replaces the real credit card number with a token.

The token is a random set of letters and numbers that would mean nothing to someone who had access to it. The payment processor is the only entity that can read it. A virtual vault securely stores a tokenized card’s real data.

When used with encryption– protecting credit card data during a transaction– tokenization prevents leaked credit card information. It is the best way to save credit card information.

If you’re looking at storing credit card information online, be sure to look for a payment gateway that offers secure tokenization for your merchant account.

Protect Credit Card Data With PCI Compliance

Any merchant that accepts, stores, and transmits credit card information is subject to the rules and regulations of PCI standards.

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of policies created by the PCI Security Standards Council (PCI-SSC) and regulated by major card brands. The design of PCI compliance is to safeguard cardholders from any misuse of sensitive information.

PCI compliance is not required by law. However, merchants that are not PCI compliant will suffer penalties. Such penalties could include:

  • Fines
  • Fees
  • Leaked information
  • Unhappy customers
  • Loss of revenue
  • Lawsuits
  • Increased processing fees
  • Loss of merchant accounts

With such devastating potential consequences, it is shocking to discover through recent research, that nearly 67% of merchants are storing unencrypted cardholder information.

PCI Requirements

There are 12 PCI compliance requirements that are essentially broken down further into sub-categories. For this discussion, we will go over the main 12.

  1. Install and maintain a firewall to protect cardholder information
  2. Do not use default system passwords. Change all access credentials to something unique and difficult
  3. Protect all stored cardholder information.
  4. Encrypt cardholder data during transmission across public networks
  5. Use and maintain antivirus software
  6. Establish and maintain secure systems
  7. Limit access to cardholder data on a need-to-know basis
  8. Assign a unique user ID to every person with computer access
  9. Limit physical access to card data
  10. Track all access to cardholder data and network resources
  11. Frequently test security systems
  12. Enforce a policy that addresses security information for all business personnel

What Credit Card Data Can Merchants Store?

There are plenty of consumer protection laws about keeping credit card numbers on file. However, entities that are following PCI compliance guidelines have permission to store information classified under Cardholder Data (CHD). Cardholder Data includes:

  • 16-digit Primary Account
  • Number (PAN)
  • Expiration date
  • Cardholder name
  • Zip code

This information is a combination of personal information mixed with primary card information. It is all typically found on the front of a credit card.

Padlock on top of a credit card

What Credit Card Data Can Merchants Not Store?

Sensitive Authentication Data (SAD) is information that merchants can not store after the authorization of a transaction. Sensitive Authentication Data (SAD) includes:

SAD is highly valuable to financial criminals. Used for unauthorized transactions for both card-present and card-not-present environments. Fraudsters use stolen cards to make unauthorized purchases online. Some cardholders opt to hide credit card CVV by scratching it out or blacking it out with a permanent marker.

This is because security codes are necessary for completing online purchases. If the cardholder has the number memorized or stored somewhere safely, this method can prevent any unauthorized charges from a stolen card.

Best Practices: Asking for Credit Card Information on Your Virtual Terminal

A merchant should know how to collect credit card information online not only safely, but also efficiently. Optimizing the checkout experience for customers can make all the difference. Especially when it comes to their trust in entering their credit cards for online shopping.

There are some practices that merchants should avoid and some practices that they should implement when it comes to taking different payment methods online.

Follow along to discover the best way to use a credit card virtual terminal:

Identify Which Card Brands You Accept

Ideally, it would be best if you had your merchant account set up to accept all card brands. It can be an inconvenience for customers when their credit card issuer brand is not an accepted form of payment. This can often be the case with Discover or American Express credit cards.

Displaying a logo for each accepted card brand will limit any unnecessary customer confusion or concerns before even beginning to enter their payment information.

Infographic showing the benefits of showing the type of credit cards an online business shows vs not showing them

These card brand logos generally appear after selecting the payment type and before the card number field.

Ask For Necessary Payment Information

To take a customer payment online, you will need the following credit card details:

  • 16-digit credit card number
  • Cardholder name as it appears on the card
  • Expiration date
  • Security code (CVV, CVC, CID)
  • Cardholder’s billing address
Illustration explaining different types of information on a credit card

Cut Out Unnecessary Fields

It can be cumbersome for customers to key in card details to complete their payments. Online transactions take more time than using contactless or EMV payment at a physical terminal.

Cutting out unnecessary fields will help reduce checkout time and increase customer experience.

One example of unnecessary information is the card type. This field is redundant.

Infographic showing how an online business should use drop out menus for the cards they accept on their website

Card brands are automatically determined by the first digits of the card:

  • American Express: 3
  • Visa: 4
  • MasterCard: 5
  • Discover: 6

Clearly Label Fields

As straightforward as this may seem, the more specific you can be, the fewer user errors will occur.

Card Holder Name

A person may have their name listed differently for independent situations. Take their bank account, their full legal name, their nickname, and the name on their card, for example. These can all vary slightly.

For example, a person’s card may or may not have their middle initial listed. In that case, you’d want the cardholder to make sure they enter in exactly as their name appears on their card.

To prompt the cardholder your cardholder name field can read as:

  • Name on Card
  • Name (as it appears on the card)
  • Name (Should match the name on the front of the card)
Infographic showing the fields a customer should fill up when making a purchase online

Credit Card Security Code

Security codes are Sensitive Authentication Data. Merchants cannot store this information online. Each card brand has different names, digit amounts, and locations for their credit card security codes:

  • Discover: card verification value (CVV, 3 digits, back of card)
  • Visa: card verification value (CVV2, 3 digits, back of card)
  • Mastercard: card verification code (CVC, 3 digits, back of card)
  • American Express: card identification number (CID, 4 digits, front of card)

Because each card brand uses different terminology, you will want to stick with the general term of “security code” rather than CVV, CVC, or CID. Sticking with the umbrella term can reduce customer confusion.
You can even include an image to help guide cardholders at checkout:

Graphic showing where to find the security code on a credit card

Avoid Icons As Field Labels

You should always label your fields with alpha characters. Never rely solely on icons such as a lock for security code or a calendar for expiration date. Vague prompts can potentially lead to the entry of inaccurate information.

A lock could suggest a few different things to cardholders:

  • Security code
  • PIN
  • Password
  • Etc

It simply isn’t direct enough for a smooth user experience.

Graphic highlighting icons on an online field label

Avoid Drop Downs

Though a minute detail, this can simply take more time to complete if it is in a drop-down format. With drop-down, users have to search for what they’re looking for. If they have the option to type in a number instead, the process is more efficient.

Graphic showing a drop down menu with the dates of expiration on a credit card

Have Clear Error Message Queues

Even with clear directions, users can still make mistakes when entering information on online forms. This can be simply due to a typo or not fully reading instructions carefully enough.

Either way, entering the correct data is important to successfully complete an online transaction. So when errors do happen, it is important to prompt the cardholder with an accurate description of what needs adjustment.

Unclear Error Message: The message does not specify exactly what the mistake is and how to fix it.

Graphic showing error message queues when inputting credit card numbers online

“There’s a problem” or “not valid” are vague messages that do not help users correct their exact errors.

Is the card number too long? Too short? The right length, but entered with the wrong digit somewhere? Should I use a different format? Spaces? No spaces? Dashes?

Clear Error Message: In comparison, this error message says exactly what is wrong with the field:

Graphic showing an error message when inputting credit card information online

As you can see, the more detailed an error message is, the more seamless the user experience will be. 

Have Access to Customer Support

Lastly, be sure you have your customer support phone number listed on your page. If your customer has any problem at checkout, they should easily be able to contact someone who can walk them through their payment.

If no help is available, you can easily lose out on a sale and a new customer.

Never Ask Customers to Send Credit Card Info Via Email:

To protect credit card information, never ask for customers to send sensitive information via email. Email is an unsecured method of transportation. It is very easy for hackers to access emails and steal your cardholder’s information.

Additionally, certain email addresses can be automatically sent to spam by your email provider. If your customers were to send payment information and it goes to junk, you may accuse customers of not sending payment. This would lead to unpleasant conversations, confusion, and happy clientele.

Banner that says Sign Up For Mobile and Contactless Payments Today!

Online Credit Card Protection Conclusion

Data security is crucial. With more people buying online, it’s up to merchants to take every step possible to protect credit card information. In implementing secure business practices and easy virtual terminal checkout, merchants will not only build trust with their clients, but they will also build a more successful business. It is my hope that this article has prepared you for how to securely store customer credit card information online.

To contact sales, click HERE. And to learn more about ECS Payment Protection visit Security & Encryption.