My small marketing business accepts credit cards, but we're having difficulty solving a problem regarding the best way to store the card numbers digitally.

We currently store them securely on paper, but we have remote employees who also need this information, and it's impractical for them to have to call us every time they need a credit card number. We'd like some way for them to be able to securely access the credit card number and use it. For example, our remote employees often need to use a client's credit card to sign them up for services we purchase for them on their behalf (for instance, Google Ad Remarketing, which we manage for them). Without the full credit card number, they can't do this -- so having the cards in a tokenization system doesn't work for us.

Not sure I even explained this well enough -- but -- any ideas? Email is obviously not a solution since that isn't secure at all.

Thanks!

Talk with your credit card processing company about this. They should have a solution for you or you'll need to find another processing company.


We currently store them securely on paperUnlikely it's secure enough for the PCI auditors.

We currently store them securely on paper, but we have remote employees who also need this information, and it's impractical for them to have to call us every time they need a credit card number. We'd like some way for them to be able to securely access the credit card number and use it. For example, our remote employees often need to use a client's credit card to sign them up for services we purchase for them on their behalf (for instance, Google Ad Remarketing, which we manage for them). Without the full credit card number, they can't do this -- so having the cards in a tokenization system doesn't work for us.

Unless you want to drop several hundred thousand dollars a year on audits, you don't want to store credit card numbers. And no, paper is not secure. If you're handing out the card numbers to employees on an "as-needed" basis, I really hope that you have done extremely thorough background checks on them regularly - depending on where you're at, credit checks might even be allowed (handling sensitive financial data). Hopefully, "remote" doesn't mean "offshore".

Why not bill your clients? If your credit card processor doesn't offer a card-on-file service, change processors.

We currently store them securely on paper, but we have remote employees who also need this information, and it's impractical for them to have to call us every time they need a credit card number. We'd like some way for them to be able to securely access the credit card number and use it. For example, our remote employees often need to use a client's credit card to sign them up for services we purchase for them on their behalf (for instance, Google Ad Remarketing, which we manage for them). Without the full credit card number, they can't do this -- so having the cards in a tokenization system doesn't work for us.


Correct me if I am wrong, but it sounds like you do consulting services and act on behave of your clients. How are you invoicing your customers? Do you charge them on their credit card or do you invoice them?

Unless you are taking a monthly recurring cost from them, there is no reason why you should "store" their credit card, nor is there an easy way to store it. For Google (or any remarketing platform), as soon as you enter the credit card, you don't need it again. For new services that are added, I would ask my client for the credit card number again.

My small marketing business accepts credit cards, but we're having difficulty solving a problem regarding the best way to store the card numbers digitally.

We currently store them securely on paper, but we have remote employees who also need this information, and it's impractical for them to have to call us every time they need a credit card number. We'd like some way for them to be able to securely access the credit card number and use it. For example, our remote employees often need to use a client's credit card to sign them up for services we purchase for them on their behalf (for instance, Google Ad Remarketing, which we manage for them). Without the full credit card number, they can't do this -- so having the cards in a tokenization system doesn't work for us.

Not sure I even explained this well enough -- but -- any ideas? Email is obviously not a solution since that isn't secure at all.

Thanks!

Yeah, you are definitely doing it completely wrong. I agree that you should not be storing credit card numbers at all, especially not the way you are doing it. You are a security risk.

I also frequently need to set things up for clients, but my entire business model is based on showing people how to be independent and be in control of their web properties and tools. Part of that is directing them to sign up for things in thier own names, and going through the process so that they understand what they own, where it is, and how to access it if I get hit by a bus tomorrow.

What I do is either:



Give them clear directions on how to buy what they need and forward me the info when done.
Bill them up front for everything I need to buy or license and create it all in their name
Set up the accounts that need their CC's, like ad buys, and destroy the info that day.


I NEVER keep client's credit card info. Don't want it. Don't want to be responsible for it. Don't even want to be involved in any discrepancies.


If you need to do a card on file type of thing, you are going to need some real security. Your CC processor should be able to help you with that.