The Risks You Face In Storing Credit Card Information

Unfortunately, the World Wide Web is a dangerous place. Phishing attacks, data breaches, viruses, you name it, companies and individuals face many dangers. One of the biggest risks for any online store or other websites that require payment is the risk that consumer data, such as credit card info, could be exposed.

Consumers know the risks. In a survey, 37 percent of customers said they abandoned a purchase online due to security concerns. By providing secure purchasing options through trusted partners, you may be able to reduce abandonment rates.

One way to increase security is to avoid storing credit card data on your site. It’s possible to run an online store or another website that requires payment without storing a user’s data. By using shopping carts like Paykickstart that easily link to payment processors, such as Stripe or Paypal, you can outsource both the payment processing and the data to a trusted third party. This way, you’ll be protected but can still accept credit card payments.

Storing credit card data yourself creates a lot of risks. Not convinced you need to use trusted third parties to protect consumer data? Let’s take a closer look at the liabilities and security risks you face when storing consumer data.

The Liabilities Are Real

Perhaps the biggest risk with storing credit card information or any type of sensitive data is that you could be found liable if the data is leaked. If you are found to be negligent in any way, the costs could be quite high.

Consider that Target was forced to shell out $18.5 million to settle a consumer data breach. Yahoo! handed over $50 million. Equifax has found itself tied up in courts. Any website that stores consumer credit card information may find itself on the hook for damages should that data be exposed.

If data is exposed, consumers could find their cards being misused by hackers. You could be found liable for those charges. Or, like Yahoo!, you could have to pay consumers for any time wasted securing their accounts. Further, you could be handing over money to regulatory authorities, as Target had to do.

If the data is in your custody and you expose it, you could incur huge fines and have to pay out large settlements. You could even be pushed into bankruptcy.

PCI Compliance Is No Small Matter

If you want to accept credit card payments directly, you will have to be PCI compliant. Online credit card payments are regulated under the Payment Card Industry Data Security Standards (PCI DSS). In practice, these standards set strict guidelines for processing payments, storing sensitive data, access control, and various other things. It’s easier to meet PCI standards if you don’t store data.

If you fail to properly implement PCI standards, you could face hefty fines and could be barred from accepting payments.  If you sell goods or services online, this is one of the many things you don’t want to be worrying about. Fortunately, there are options at your disposal.

Shopping carts like Paykickstart allow you to sell your items securely by linking to PCI compliant payment processors like PayPal, Stripe, Authorize.net, Braintree, and Easy Pay Direct. This allows you to easily sell more items to customers while presenting an array of upselling opportunities. On top of which, you won’t be storing any data or processing the payment. This reduces your risks and liabilities.

Laws Vary From Country to Country

When you sell products online, you can tap into global markets. Let’s say you run a subscription-based industry news website. You can sell subscriptions to people across the world, not just in your home country.

However, different countries and regions have different laws regarding data breaches. Payment Card Industry Data Security Standard (PCI DSS) sets minimal standards for using and storing credit card information globally. However, some countries can levy abnormally large fines in the event of a data breach.

In the European Union, under the General Data Protection Regulation, regulatory authorities can levy fines between 2 to 4% of annual revenue if the stipulated rules aren’t followed. Likewise, the EU has strict reporting requirements in the event of a security breach.

We’re only scratching at the complexity of international law. Any time you conduct business globally, you need to be aware of local laws and regulations.

Your Brand Could Suffer Irreparable Damage

Some people think Equifax should be shut down over the breach. Fact is, people only want to buy goods and services from companies that they trust. Indeed, building trust with customers is perhaps the most important thing a brand could accomplish.

If your company or website is personally viewed as responsible for exposing consumer credit card data, you’re going to take a hit. Target saw its revenues decline by 3.8 percent and net income plummet by 46 percent after suffering a data breach. And Target’s stock also suffered a steep hit in the weeks after the breach:

A major hit stemming from a security breach could quite literally be strong enough to knock you out of the market. If your brand becomes associated with lax security, many customers will refuse to purchase from you.

On the other hand, when you use a payment processor that stores and secures customer data, such as Paypal, it’s their brand that will primarily be exposed. These risks help explain why companies like Stripe and Paypal go to such lengths to protect confidential data. They aren’t just protecting their customers, they are also protecting their own brand.

Simple Mistakes Can Expose Data

Okay, so there are risks associated with storing consumer data. But if you take great care to protect the data, will you actually be exposed to any dangers? Unfortunately, ensuring that data is secured is easier said than done.

It’s difficult and expensive to ensure that data is being protected. Even small mistakes can snowball into huge problems. Equifax exposed the data of 145 million people because the company failed to implement a security patch that had been out for months. Hackers realized the security patch hadn’t been implemented and used a vulnerability to hack the data.

Even if you do everything right, keeping plugins up to date, using only trusted software partners, there’s still a risk that a hacker will notice a vulnerability before a security expert does. This alone could be enough to allow a hacker to breach your website and steal valuable information.

Human Errors Can Expose Data Too

Further, there is always a human factor. Many hackers don’t even bother with hacking code anymore. Instead, they target humans with phishing campaigns and social engineering to get them to give up passwords and other data.

For example, someone might pose as Automattic, the owner of the popular CMS WordPress, and email you. They could claim that there is an issue and you need to login to your WordPress site immediately. So you click on the link in the email and are taken to a website that looks like an official WordPress login page.

Unfortunately, the website doesn’t belong to WordPress but instead a hacker. When you plug in your password and user name, you end up handing the data over to the hacker, who can now use it to log in to your WordPress website. Attacks like these happen all the time.

One study claims that a single successful phishing attack costs a medium sized business $1.6 million on average. At the same time, another study found that 76 percent of businesses were targeted with phishing attacks in 2017.

No Matter What: You’re On The Hook

So what’s the take away of all of this? The risks are real. If someone is able to hack your website, whether through social engineering, hacking, or whatever else, you could take a hit. Civil suits, government fines, and brand damage could all occur.

The easiest solution is quite straight forward: don’t store credit card information. You can still accept credit card payments, and you can still make it stupid easy for customers to pay. Instead of storing the data yourself, however, work with third parties. Payment processors and the like can take custody of the data and can ensure that it is properly protected.