As a Level 1 PCI Certified service provider, Ontraport can store your customers’ credit card data for you. That allows you to run subscriptions, payment plans and manually charge your customers’ cards anytime you need to, safely and securely.
But because Ontraport is storing this sensitive data for you, there are a few things you should know about how security around this stuff works. So, I’ll give you a quick run-down of storing credit card information and PCI compliance.
I won’t get into the fine print of Payment Card Industry (PCI) compliance because, frankly, I’m not a lawyer and I’m not here to give you legal advice. But it is helpful to know the basics of PCI standards and what Ontraport does to keep you compliant.
So, here’s the bottom line. If you accept credit cards, your business needs to be PCI compliant.
PCI is a bunch of security rules set by the credit card industry. No one really ever comes around and checks whether you’re compliant with them… until you have a security breach. If your business becomes the source of lost credit card data, all of a sudden everyone wants to know exactly how compliant you were. And, if the answer isn’t ‘100% compliant’ then you could end up liable for the cost of whatever fraud occurred with those lost cards.
And that can get really, really expensive, real fast. Like, “put you out of business” expensive.
We don’t want that, so this is something to pay a bit of attention to.
Now here’s the good news: compliance CAN be really easy for online businesses. Because the easiest way to be compliant is to never see or handle credit card data.
For online businesses, this is often pretty easy. People order online, their card data is stored in Ontraport, and you can’t see it.
In fact, this is exactly why we only show you the last 4 digits of your client’s credit cards… because if you could see the whole card number, you’d suddenly be what they call ‘in scope’ for all the detailed compliance rules. Since you can’t see the number, you’re ‘out of scope’ which is.. A good thing.
Things get a bit hairier when you start accepting credit cards over the phone or in person, and frankly those situations are beyond what we’re going to discuss today.
What I CAN tell you is that to the extent you can avoid ever seeing or knowing your customer’s credit card data, you are keeping your business in a much lower risk position with respect to PCI and credit card fraud liability.
So, consider creating online order forms instead of taking credit card data over the phone. And, please.. If you do take payments over the phone or in person, don’t ever have people writing down credit card information on paper like the old days. That’s just asking for trouble.
The good thing about Ontraport is that once their credit card is in the system, you can run charges against it anytime you need to. So, you can still take orders over the phone without worrying about PCI if you’re running the charge against the card that’s already on file.
If you do take cards in person or over the phone, we recommend that you research your liability with respect to PCI rules, because if the stuff ever does hit the fan, you’ll want to have your house in order.
Ok, that’s it for PCI!