Many merchants think that because they "own" their merchant account, they own the credit card and customer data associated with processing credit card transactions on their merchant account. Not so. In addition to the PCI DSS which forbids the storage of sensitive data, many federal, state and local laws also govern how this data may be used.
One law, FACTA (The Fair and Accurate Credit Transactions Act) goes so far as to mandate truncation of cardholder account numbers (PANs) and expiration dates on the merchant and customer copies of receipts. In addition, as of October 2008, MasterCard® mandated that all receipts be truncated. Furthermore, companies in the news recently have had a breach of their data located on the magnetic stripe as well as the "secret code" data known as CVV2.
As a rule, none of the following data may be stored electronically:
- A Cardholder's PIN number
- the Cardholder's Credit Card Number
- the "Secret Code" or CVV2 Data
- Any Track 1 or Track 2 Data on the Mag Stripe
Storing any of the above data in electronic format, even if it appears to be innocent - for example, you need to do recurring billing, so you keep the account numbers, expiration dates and CVV2 codes in an Excel® spreadsheet - it is against the PCI DSS and in many cases, against Association Rules and Federal, State and Local laws!