From the little neighborhood deli to nationwide fast food chains to girl scouts selling cookies on the corner, it seems like everyone accepts credit cards now; in fact, it’s almost essential to accept credit or debit cards in order to keep up with the competition. But just because a lot of merchants accept them, it doesn’t necessarily mean it’s a simple thing to do. There are many credit card processing laws that merchants must follow in order to stay in merchant services agent compliance with their processing providers, as well as to keep their customers’ information secure. Read on to learn about the legal responsibilities of processing credit and debit cards.
When completing a transaction using a credit or debit card, a great deal of personal information must be obtained, including name (or business name), address, card number, pin number, etc. Unfortunately, just like a lot more businesses now accept credit cards, there are a lot more people out there trying to capitalize on this personal information, and identity theft has grown exponentially. Merchants have a great deal of responsibility to protect their customers’ information, and must take a great deal of precaution. Even when it seems like you are being cautious, identity thieves are developing new technology all the time to get a hold of the information they want.
Each and every business or merchant that accepts personal payment information from their customers are required to comply with credit card processing laws and regulations as well as institutional policies implemented by the issuers of most credit and debit cards and credit card machines. By following these laws in most cases you can fulfill your ethical duty of ensuring that your customers’ information is being used only in the way they want to be used, and that their financial security, privacy and confidentiality are protected.
So what are the legal responsibilities of credit card processing? Some laws/policies that ensure data security include:
Merchants cannot store any customer credit or debit card information on a local server or computer.
The Card Identification Number (CID) should never under any circumstances be stored electronically or on paper. (The CID number is the three digit security code on the back of the credit or debit card.)
Transaction receipts may only show the last four digits of the credit or debit card number
If you absolutely must record the entire credit or debit card number to process the transaction, all but the last four digits of the number must be blacked out as soon as refunds and disputes are no longer likely. (Depending on your return policy, this will preferably be within 60 days and should not surpass 180 days.)
Credit card information cannot be accepted via email. Any emails containing this information should be immediately deleted from your computer.
Only retain original receipts showing the last four digits of the credit card number or transactions with original signed documentation in a secure location. These must be retained for a minimum of 12 months unless a longer retention time period is required by contract or law. After the retention time period, records must be destroyed confidentially.
Paper records must be stored in a locked room or file cabinet. Access to your storage area(s) must be restricted to limited authorized personnel only.
When customers choose to complete a transaction with you via credit or debit card they are putting a great amount of trust in you to protect their information. But if their information is compromised you won’t just be facing the customer or your conscience, if you are found liable you could face an expensive lawsuit. Even if you took every precaution and you are found not liable of a customer’s information being stolen from your company, the time and expense of a legal battle could prove very costly.
Credit card machines can provide the means for incredible profit, but they also come with a tremendous amount of responsibility to customers. Establish strict legal and ethical guidelines within your business to ensure that personal information is protected and access is limited. Follow these guidelines for card processing and ensure your employees follow them too, and your clients and customers will thank you for protecting their private information.