The Risks You Face In Storing Credit Card Information

Written By:
Michael Harbone
Published On:
June 7th, 2019
Read Time:
6 Mins
Category:
Billing

Unfortunately, the World Wide Web is a dangerous place. Phishing attacks, data breaches, viruses, you name it, companies and individuals face many dangers. One of the biggest risks for any online store or other websites that require payment is the risk that consumer data, such as credit card info, could be exposed.

Consumers know the risks. In a survey, 37 percent of customers said they abandoned a purchase online due to security concerns. By providing secure purchasing options through trusted partners, you may be able to reduce abandonment rates.

One way to increase security is to avoid storing credit card data on your site. It’s possible to run an online store or another website that requires payment without storing a user’s data. By using shopping carts like Paykickstart that easily link to payment processors, such as Stripe or Paypal, you can outsource both the payment processing and the data to a trusted third party. This way, you’ll be protected but can still accept credit card payments.

Storing credit card data yourself creates a lot of risks. Not convinced you need to use trusted third parties to protect consumer data? Let’s take a closer look at the liabilities and security risks you face when storing consumer data.

The Liabilities Are Real

Perhaps the biggest risk with storing credit card information or any type of sensitive data is that you could be found liable if the data is leaked. If you are found to be negligent in any way, the costs could be quite high.

Consider that Target was forced to shell out $18.5 million to settle a consumer data breach. Yahoo! handed over $50 million. Equifax has found itself tied up in courts. Any website that stores consumer credit card information may find itself on the hook for damages should that data be exposed.

If data is exposed, consumers could find their cards being misused by hackers. You could be found liable for those charges. Or, like Yahoo!, you could have to pay consumers for any time wasted securing their accounts. Further, you could be handing over money to regulatory authorities, as Target had to do.

If the data is in your custody and you expose it, you could incur huge fines and have to pay out large settlements. You could even be pushed into bankruptcy.

PCI Compliance Is No Small Matter

If you want to accept credit card payments directly, you will have to be PCI compliant. Online credit card payments are regulated under the Payment Card Industry Data Security Standards (PCI DSS). In practice, these standards set strict guidelines for processing payments, storing sensitive data, access control, and various other things. It’s easier to meet PCI standards if you don’t store data.

If you fail to properly implement PCI standards, you could face hefty fines and could be barred from accepting payments. If you sell goods or services online, this is one of the many things you don’t want to be worrying about. Fortunately, there are options at your disposal.

Shopping carts like Paykickstart allow you to sell your items securely by linking to PCI compliant payment processors like PayPal, Stripe, Authorize.net, Braintree, and Easy Pay Direct. This allows you to easily sell more items to customers while presenting an array of upselling opportunities. On top of which, you won’t be storing any data or processing the payment. This reduces your risks and liabilities.

Laws Vary From Country to Country

When you sell products online, you can tap into global markets. Let’s say you run a subscription-based industry news website. You can sell subscriptions to people across the world, not just in your home country.

However, different countries and regions have different laws regarding data breaches. Payment Card Industry Data Security Standard (PCI DSS) sets minimal standards for using and storing credit card information globally. However, some countries can levy abnormally large fines in the event of a data breach.

In the European Union, under the General Data Protection Regulation, regulatory authorities can levy fines between 2 to 4% of annual revenue if the stipulated rules aren’t followed. Likewise, the EU has strict reporting requirements in the event of a security breach.

We’re only scratching at the complexity of international law. Any time you conduct business globally, you need to be aware of local laws and regulations.

Your Brand Could Suffer Irreparable Damage

Some people think Equifax should be shut down over the breach. Fact is, people only want to buy goods and services from companies that they trust. Indeed, building trust with customers is perhaps the most important thing a brand could accomplish.

If your company or website is personally viewed as responsible for exposing consumer credit card data, you’re going to take a hit. Target saw its revenues decline by 3.8 percent and net income plummet by 46 percent after suffering a data breach. And Target’s stock also suffered a steep hit in the weeks after the breach:

A major hit stemming from a security breach could quite literally be strong enough to knock you out of the market. If your brand becomes associated with lax security, many customers will refuse to purchase from you.

On the other hand, when you use a payment processor that stores and secures customer data, such as Paypal, it’s their brand that will primarily be exposed. These risks help explain why companies like Stripe and Paypal go to such lengths to protect confidential data. They aren’t just protecting their customers, they are also protecting their own brand.

Simple Mistakes Can Expose Data

Okay, so there are risks associated with storing consumer data. But if you take great care to protect the data, will you actually be exposed to any dangers? Unfortunately, ensuring that data is secured is easier said than done.

It’s difficult and expensive to ensure that data is being protected. Even small mistakes can snowball into huge problems. Equifax exposed the data of 145 million people because the company failed to implement a security patch that had been out for months. Hackers realized the security patch hadn’t been implemented and used a vulnerability to hack the data.

Even if you do everything right, keeping plugins up to date, using only trusted software partners, there’s still a risk that a hacker will notice a vulnerability before a security expert does. This alone could be enough to allow a hacker to breach your website and steal valuable information.

Human Errors Can Expose Data Too

Further, there is always a human factor. Many hackers don’t even bother with hacking code anymore. Instead, they target humans with phishing campaigns and social engineering to get them to give up passwords and other data.

For example, someone might pose as Automattic, the owner of the popular CMS WordPress, and email you. They could claim that there is an issue and you need to login to your WordPress site immediately. So you click on the link in the email and are taken to a website that looks like an official WordPress login page.

Unfortunately, the website doesn’t belong to WordPress but instead a hacker. When you plug in your password and user name, you end up handing the data over to the hacker, who can now use it to log in to your WordPress website. Attacks like these happen all the time.

One study claims that a single successful phishing attack costs a medium sized business $1.6 million on average. At the same time, another study found that 76 percent of businesses were targeted with phishing attacks in 2017.

No Matter What: You’re On The Hook

So what’s the take away of all of this? The risks are real. If someone is able to hack your website, whether through social engineering, hacking, or whatever else, you could take a hit. Civil suits, government fines, and brand damage could all occur.

The easiest solution is quite straight forward: don’t store credit card information. You can still accept credit card payments, and you can still make it stupid easy for customers to pay. Instead of storing the data yourself, however, work with third parties. Payment processors and the like can take custody of the data and can ensure that it is properly protected.

Share this post:

Or copy link

Michael Harbone

Michael Harbone is an experienced copywriter, writing professionally since 2017. He has written for multiple digital marketing companies gaining the reputation for writing engaging, concise articles one which received an award from Upcity.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__stripe_mid	1 year	Stripe sets this cookie cookie to process payments.
__stripe_sid	30 minutes	Stripe sets this cookie cookie to process payments.
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
csrftoken	1 year	This cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
enforce_policy	1 year	PayPal sets this cookie for secure transactions.
laravel_session	1 hour	laravel uses laravel_session to identify a session instance for a user, this can be changed
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
ts	3 years	PayPal sets this cookie to enable secure transactions through PayPal.
ts_c	3 years	PayPal sets this cookie to make safe payments through PayPal.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
XSRF-TOKEN	2 hours	This cookie is set by Wix and is used for security purposes.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
nsid	session	This cookie is set by the provider PayPal to enable the PayPal payment service in the website.
tsrce	3 days	PayPal sets this cookie to enable the PayPal payment service in the website.
x-pp-s	session	PayPal sets this cookie to process payments on the site.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
_gat_UA-44547153-6	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
l7_az	30 minutes	This cookie is necessary for the PayPal login-function on the website.

Cookie	Duration	Description
_dc_gtm_UA-65222323-1	1 minute	This is a Google Tag Manager cookie that is used to control the loading of a Google Analytics script tag, to track the performance of ad campaigns.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_user	1 minute	Google Analytics sets this cookie to throttle request rate.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_session_id	14 days	Cookie set by G2 to store the visitor’s navigation by recording the landing pages. This allows the website to present products and indicate the efficiency of the website.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.