Safe place to store credit card numbers?

[NviGate Systems]

And here I was gonna chime in with.....

"Your wallet" ->> Client's wallet of course. Because if you don't want to mess with the wonderful solutions posted, in the end, that's exactly where the CC number belongs.

 

[Blue House Computer Help]

Just one other thought to add from across the pond. If any of the charities donors happened to be European, then they are in violation of the EU's GDPR as well, even if they themselves are not present/active/anything in Europe, and that is just a whole 'nother level of unfortunate-ness waiting to happen.

 

[Sky-Knight]

Exactly. I keep CC information on file for recurring billing using Square. I input the CC card data and save it in their system and I never can see it again except for the last 4 digits and the expiration date. If Square has a breach the issue is entirely on them legally.

Minor point...

If your client inputs the data into Square's system, it's on them. If YOU input the data into Square's system, it's on YOU! Who does the data entry matters.

 

[britechguy]

Minor point...

If your client inputs the data into Square's system, it's on them. If YOU input the data into Square's system, it's on YOU! Who does the data entry matters.

Can you clarify that.

It seems to me that @nlinecomputers is saying that once he's put the data into Square's system at the time of the first transaction, and has no other record of that CC info, but can call it up via Square, in redacted form, to use it later, then all responsibility for the CC data remains with Square after the card data is accepted.

It wouldn't seem to matter if he typed it in, or the client typed it in, as there would be no way to prove after the fact who typed it in. And since he's not storing the data, but Square is, that any liability for breach is on them.

I'm not at all clear about what you're saying "transfers back" to whoever happens to have entered the information. I'd think nothing would except in the case of fraud, which is out of scope here. We weren't discussing fraudulent use of credit cards.

 

[Sky-Knight]

@britechguy It does matter who typed it in, because the person typing in the data accepts the risks associated with using the platform.

If I as a merchant type information into Square, or Wells Fargo, or anything I use... and those systems are breached the impacted owners of that data's legal recourse is to sue me for the damages.

If I configure a system such that the user has to input data into the aforementioned service to pay me, while they're typing in all that stuff they have to accept the terms and conditions of using the service themselves. The process is branded for that service, not mine. So if there's a breach, they now have legal recourse to sue the vendor in question directly. Because they interacted with that vendor, at my behest perhaps, but they still made the interaction.

Who inputs the data into what branded fields is what makes the liability determination in a court room. You can clearly see this in the PCI compliance questionnaires, and the banks track who's at what level based on the level of certification requested during the compliance process.

By the way this is worst case thinking stuff, if something goes wrong typically the user's card is changed and they aren't on the hook for any actual losses. But if they were on the hook, it's better if they can sue the big boy directly, instead of having to sue the vendor they actually paid, and have that vendor sue the merchant provider.

 

[britechguy]

If I as a merchant type information into Square, or Wells Fargo, or anything I use... and those systems are breached the impacted owners of that data's legal recourse is to sue me for the damages.

Not doubting you, as it's been too many years since I was last dealing with PCI compliance, but that's absolutely insane!

Often you're not even actually inputting anything, just sliding/inserting a card into a reader.

If a court wants to hold me responsible if someone hacks into Square because I (and very likely many others, over time) have entered someone's CC information that's just wrong (and stupid). Once it's literally out of my hands, it should not ever fall back on me. It makes no sense, period, and particularly the way CC data is handled upstream of the point of origination, over which no originating merchant has the slightest bit of control.

 

[Sky-Knight]

@britechguy Readers are different actually! Because the card can be physically authenticated, but as the merchant YOU are responsible for securing that reader. So the liability depends on the nature of the breach.

Also... Square isn't a merchant processor which blurs things up even further. Technically your reader doesn't have to be PCI compliant, because they're absorbing the PCI compliance themselves as a part of their platform. Honestly, I'm shocked we haven't had a huge legal detonation because of this. Because the lines get REALLY blurry.

I use an actual dedicated physical CC terminal for a reason!

@britechguy Please note I'm talking about memorized transaction details for recurring use. The risks attached to a single point of payment are VASTLY reduced because NOTHING in the system stores those payment details anywhere. You don't have them, Square doesn't have them, even VISA doesn't have them. Only your bank does.

So read all of the above understanding that I'm actually talking about exclusively the risks of keeping CC data around, which is only legitimately useful for subscription based billing.

 

[britechguy]

@Sky-Knight

I don't accept CCs, period. But I know so many people who use Square.

Were anyone ever to be sued as an individual for a data breach at Square, I have very little doubt that they would not be held responsible in any way, and they'd have marvelous grounds for countersuing.

There is no way on God's green earth that merchants can be reasonably be considered responsible for credit card information except when it is in their possession during processing.

I date from the period where the last CC terminal I owned would store the CC information for batch processing at the end of the day in a final call via modem if you didn't have a functioning phone line while processing the sale. Of course, that put the risk of a decline squarely back on you, the merchant. Now everything's processed over the internet in most places, though phone service versions still exist for rural areas.

 

[Sky-Knight]

@britechguy I edited the above post for clarity because I realized we were talking past each other.

The risks I'm walking about revolve around memorized transactions, wherein a merchant has a billing system that automatically bills at a configured interval. It's for maintaining subscriptions, or for anyone that keeps payment details on file for larger purchases.

None of this applies to anyone that simply accepts a credit card as a single payment. Those processes simply never store the CC data, and are only really subject to the charge back process as outlined in the credit card's terms and conditions.

I've had far more problems with charge backs than lawyers chasing me or any of my clients down. There's a reason I only offer Zelle as a payment option to people I don't know! But if you're not doing subscription based billing... everything I said above is all but irrelevant.

But if you're a merchant and you accept a CC and that data was stolen from your equipment? Yeah... you're on the hook. That's just EXTREMELY UNLIKELY TO HAPPEN, if all you're doing is swiping cards through a Square reader on your phone.

 

[MudRock]

Yeah definitely use a third party CC platform. Three that come to mind are Square, Stripe and QuickBooks Online. PCI compliance is taken from your hands, and most of these companies will help you know proper procedures to handling client CC prior to entry into these platforms.

They get caught at what they're doing, they'll lose their CC processing and likely not get it back without a fight (with all processors too since tied together with PCI)

 

[InHomeComputerHelp.com]

A non profit client of mine reached out about wanting to know if storing CC #, and SS# of their donors in Google Drive is safe.

Now right off the bat to me it sounds insane and not safe, but also a huge liability. But this isn't exactly my wheelhouse.

I'm not sure why they would want to store that info but I figured I'd check here to find out 1) the long list of why not to store that info anywhere and 2) If there was a safe alternative I could suggest.

I'd rather let some third party like PayPal handle that stuff. They can do subscription based payments and a 504 (I think it is) can be set up with PayPal.

Rick

 

[HCHTech]

I keep CC information on file for recurring billing using Square. I

I'm wondering if it's finally time to ditch my existing terminal. Some questions on the "square experience"

• Does using square setup change the PCI requirements for quarterly scanning?
• Which PCI questionnaire are you completing?
• When you are storing cc for recurring billing, how is that done? Do you enter data through the terminal? a website?
• When you then *use* the stored cc for a future recurring invoice, how is that done? A manual transaction at the terminal? An automated transaction based on your original input? A manual transaction, but you choose the card from a stored list? Something else?
• How do you reconcile what transactions occurred at the end of each day? Do they give you a closing report that has actual names?
• Do they have a mobile device that can be used in the field?
• How are the fees?

These are all of the pain points of my current setup, which is a standard IP terminal where everything is entered manually, the slips & closing
reports don't have identifying information and there is no way to do recurring transactions. It works, but it's......cumbersome at best.

 

[nlinecomputers]

I don’t do any PCI scanning or Questionnaires. I’m not keeping any PCI on my clients. The information is entered on the website or the app. I do the transactions manually but you can setup recurring invoices tied to customer/card on file. Yes you can get reports anytime you want on demand. Square is mostly based on mobile devices. They have apps for android and iOS. You use a bluetooth reader with it. They sell stands designed to lock an iPad and the reader to your counter. I think they also have a traditional WiFi terminal, but most stores use the stands and I use my phone as I am in the field.

Fees: https://squareup.com/help/us/en/art...qs#:~:text=What are your fees?,3.5% + 15¢ fee.

The main advantage of square is no monthly charges. You only pay fees on the charges you process. I don’t do many CC transactions so it works for me. I would think that there is a point of diminishing returns. I see square used in coffee shops and the like and I would think they are doing enough charges to get a better rate with a traditional merchant account. Even with the fees. It’s possible that maybe Square gives you a more traditional rate/fee schedule if you have the volume.

 

[britechguy]

Square pretty much came into existence to support small volume businesses using smartphones with a reader that (at that time) plugged into the headset jack.

It's amazing to see just how many businesses at fixed locations now use Square. And, of course, there are now competing services similar to them.

I toyed with the idea of Square on several occasions, but have remained a cash or check only business.

 

[nlinecomputers]

Square pretty much came into existence to support small volume businesses using smartphones with a reader that (at that time) plugged into the headset jack.

It's amazing to see just how many businesses at fixed locations now use Square. And, of course, there are now competing services similar to them.

I toyed with the idea of Square on several occasions, but have remained a cash or check only business.

Yep. Square has a contact sales button on the website so I suspect that you can get a better rate if you can prove that you have the volume. That’s the only way I can see that shops could afford it. It’s that or they’re lazy and haven’t shopped around. Square is hassle free and no credit checks to setup.

 

[britechguy]

It’s that or they’re lazy and haven’t shopped around.

Or have and gave up in frustration. I vividly recall doing the research for a merchant account 14 years later because the process was so opaque and miserable. It truly seemed the idea was to give you as little information as possible and to lure you into "the best gotcha situation" for the processor.

Square's transparency and lack of hassle is one of the reasons it took off like a shot. It really shook up the industry.

 

[Sky-Knight]

The per transaction costs on Square are BONKERS HIGH compared to traditional terminals though. So I'll keep my usual merchant processing thanks.

Also... Heaven help you if there's a problem, because Square won't.

 

[nlinecomputers]

The per transaction costs on Square are BONKERS HIGH compared to traditional terminals though. So I'll keep my usual merchant processing thanks.

Also... Heaven help you if there's a problem, because Square won't.

Exactly. I don't do enough CC transactions to pay for the equipment rentals and fees so Square is a better value. But it would not take long before that turns into a rediculous cost. It's why I suspect that Square will offer more traditional terms if you ask them.

 

[Sky-Knight]

Exactly. I don't do enough CC transactions to pay for the equipment rentals and fees so Square is a better value. But it would not take long before that turns into a rediculous cost. It's why I suspect that Square will offer more traditional terms if you ask them.

I gave First Data $300 for the terminal that's on my desk 5 years ago...

 

[GTP]

I don't do enough CC transactions to pay for the equipment rentals and fees so Square is a better value.

Agreed.
So much cheaper than anything else. Square is the easiest to use imho.
I rarely use the bluetooth reader (its usually flat when I try anyway).
I just enter cards manually. Its pretty simple.
I rarely go to my dashboard either but they have a wealth of info about transaction summaries etc.
I dont send invoices unless the client asks because it shows on their CC statement anyway.