PCI Compliance and Cards on File

PCI Compliance and Cards on File
Picture of Ursula Librizzi Ursula Librizzi Calendar Icon

When it comes to your customers’ information, sophisticated data protection is a must. Yet so many businesses continue to store sensitive customer data haphazardly. Keeping this raw information in filing cabinets or on your computer makes both you and your customers vulnerable to a number of risks.

When it comes to moving away from these old-school tactics, a common misconception we come across is that it’s riskier to use a third-party provider to store the data for you. As a PCI level 1 Merchant Service Provider, we can confidently say this claim is false.

In this post, we dive into the importance of securely maintaining cardholder data and the costs around failing to do so. First, we review what puts your business squarely within PCI scope.

What Falls Into PCI Scope

Anything that stores, processes or transmits cardholder data is within PCI scope. So, if you’re internally storing customer card data, you’re within scope — and likely not doing it in a way that adheres to PCI standards. Here are three major components of your business’s technological infrastructure that impact PCI compliance:

Networks: These are physical, wireless and virtual connections. Pretty much every modern-day business uses some combination of these connections, so network segmentation serves to separate out-of-scope systems to avoid impacting security. An example of this is isolating where your cardholder data is stored.

Applications: These are the points of data entry, and are therefore always within scope. Think of card readers, point-of-sale software, Virtual Terminals and patient management systems. Without a security standard in place to secure cardholder data, these applications are vulnerable to exposing raw data. Commonly used standards are point-to-point encryption and tokenization.

Software: Whether the payment processing software is native or cloud-based dictates whether your computer servers are within scope. Cloud-based is more favorable, as it removes your servers from scope but still allows you to remotely access the encrypted card data on file.

You can descope your business technology and cut down on the amount of networks, applications and softwares used to store, transmit and process your customers card data. If you fail to recognize and address what in your business’s technological infrastructure is within PCI scope you’re a sitting target for hackers and fraudsters. This can lead to hefty costs for your business.

The Costs of Non-Compliance

Before you shy away from the costs associated with upgrading your business’s technology, consider the hefty fees you may face if you’re found to be operating outside of PCI compliance. Failure to maintain the highest standard of customer card data protection can result in the following repercussions:

  • Monthly fines ranging from $5,000 to $10,000
  • Fines per compromised card, which can reach up to $90 per card
  • Lawsuits by cardholders whose information was compromised
  • Compensation for cardholders, such as credit monitoring
  • Revenue loss due to reputation damage
  • Costly audits by the FTC or PCI
  • Merchant account loss

Why PCI Compliance Is Important

If it isn’t obvious by now, PCI compliance poses a number of benefits to your business. While avoiding reputation damage and heavy costs, you also reduce the risk of a data breach, protect your business’s longevity, secure your cardholders’ data and increase customer retention. Don’t be apprehensive when it comes to new technologies and change at your business. Implementing these solutions today may just save your business from a major breach in the near future.

Ready to securely store cardholder data?


Are you unsure whether the way you store customer card data is secure? Give us more details below and we’d be happy to assist you!

About Author
Picture of Ursula Librizzi

Ursula Librizzi

Ursula is the sales and marketing operations manager for PayJunction. She oversees daily marketing tasks and liaises between the sales and marketing departments.

Related Posts