- Home >
-
- Information zone >
-
- Fraud and Security advice >
- Security advice for businesses
- Fraud and Security advice >
-
- Information zone >
-
Security advice for businesses
Storing card information
Credit card details are valuable to fraudsters and are often the target of external and internal attackers. So if you decide to store payment card details on any of your business systems, it is your responsibility to ensure you have adequate security measures in place.
Barclaycard Business offers the following security advice if you choose to store this type of information on your systems:
- Restrict access to payment card data to only those staff who need access to it, and ensure that this type of information is not published internally or externally.
- Ensure that staff handling payment card data are aware of its importance and confidentiality.
- Access to payment card related data could be audited and this information retained for a suitable period for additional security.
- If any third parties have access to your payment card data, consider auditing or reviewing their access for extra security.
- Determine how robust the access controls are for all systems used to store or process payment card information. Consider both logical permissions and password control, as some desktop software applications are prone to password attacks. You may need to review your controls on systems where payment card data can be accessed.
- Be on the look out for ways that payment card data could escape from your organisation without authority e.g. emails, paper, entry to mobile phones and look for ways of minimising this risk.
- Never store payment card data on any computer system exposed to the Internet.
- Ensure that an actual or suspected compromise of payment card data is reported to the card issuer as soon as possible.
- If you experience fraud on your cards, consider an internal investigation - in case it was as a result of information originating from within your organisation.
- Real payment card data should not be used for test purposes if the test or development system has weaker controls than the live environment.
- Consider undertaking a formal security risk assessment for any system that holds or processes card payment data.
- Ensure protection of this data falls within the terms of your own information security policies. If you do not maintain a formal policy consider how the controls fit with BS7799, the British Standard for Information Security Management. Visit bsi-global for more information.
- If you operate an information classification scheme within your company, payment card information should be given an appropriate confidentiality rating.
This list is provided as guidance only, as it is not possible for Barclaycard Business to provide an exhaustive list of the issues faced when storing payment card details. You should ensure that this area is fully explored by your business and that you implement adequate policies and procedures before you begin to store this type of information.