From the little neighborhood deli to nationwide fast food chains to girl scouts selling cookies on the corner, it seems like everyone accepts credit cards now; in fact, it’s almost essential to accept credit or debit cards in order to keep up with the competition. But just because a lot of merchants accept them, it doesn’t necessarily mean it’s a simple thing to do. There are many credit card processing laws that merchants must follow in order to stay in compliance with their processing providers, as well as to keep their customers’ information secure. Read on to learn about the legal responsibilities of processing credit and debit cards.
When completing a transaction using a credit or debit card, a great deal of personal information must be obtained, including name (or business name), address, card number, pin number, etc. Unfortunately, just like a lot more businesses now accept credit cards, there are a lot more people out there trying to capitalize on this personal information, and identity theft has grown exponentially. Merchants have a great deal of responsibility to protect their customers’ information, and must take a great deal of precaution. Even when it seems like you are being cautious, identity thieves are developing new technology all the time to get a hold of the information they want.
Each and every business or merchant that accepts personal payment information from their customers are required to comply with credit card processing laws and regulations as well as institutional policies implemented by the issuers of most credit and debit cards and credit card machines. By following these laws in most cases you can fulfill your ethical duty of ensuring that your customers’ information is being used only in the way they want to be used, and that their financial security, privacy and confidentiality are protected. High Risk Credit Card Processing
So what are the legal responsibilities of credit card processing? Some laws/policies that ensure data security include:
• Merchants cannot store any customer credit or debit card information on a local server or computer.
• The Card Identification Number (CID) should never under any circumstances be stored electronically or on paper. (The CID number is the three digit security code on the back of the credit or debit card.)
• Transaction receipts may only show the last four digits of the credit or debit card number.
• If you absolutely must record the entire credit or debit card number to process the transaction, all but the last four digits of the number must be blacked out as soon as refunds and disputes are no longer likely. (Depending on your return policy, this will preferably be within 60 days and should not surpass 180 days.)
• Credit card information cannot be accepted via email. Any emails containing this information should be immediately deleted from your computer.
• Only retain original receipts showing the last four digits of the credit card number or transactions with original signed documentation in a secure location. These must be retained for a minimum of 12 months unless a longer retention time period is required by contract or law. After the retention time period, records must be destroyed confidentially.