Do you store all of your customer’s personal data and habits? It’s a risky thing to do for a few reasons. First, you have the potential of letting all of that data become available to hackers and other nefarious online entities. Also, it might not be legal, depending on where you do business. Lastly, the storing of actual cardholder data requires specific and attentive PCI compliance procedures and scans. You may also want to check out this article from one of our partners, Shopify; it details some of the legalities and data management responsibilities that come with being an online merchant.
A few opinions on how to handle sensitive data.
If you wanted to use a customer’s purchase history and area of residence to help target specific products you think they will buy, make a short form that pops up when they make their first purchase, explain the benefits and ask permission to gather that data. If your client agrees, store and use the data, if not, discard the information.
Long gone are the days when an e-commerce merchant could build their own payment form and simply have it email cardholder data to them and store card numbers on their laptop “in case they need them again”. PCI compliance is incredibly important and merchants who experience a breach, especially a careless breach are going to be really on the hook for the cost of card replacement, forensic accounting, research, and the actual cost of fraud perpetrated on the stolen cards. Step one should be storing cardholder data on a secure PCI compliant server hosted by a certified shopping cart, or payment gateway such as NMI. If you have any questions and would like to “bend our ear” for some friendly advice on secure payment gateways and cardholder data options for one-time or subscription / recurring billing programs, please contact us anytime.