The PCI DSS (Payment Card Industry Data Security Standard) requires Volusion to store all sensitive data in a secure manner. This also requires all merchants conducting business online using cardholder data also to follow PCI DSS guidelines.
PCI-DSS requires that cardholder data may only be stored to the extent, and for the time, required to meet the needs of your business. Further, it specifically requires that Primary Account Numbers (the credit card account number on the face of the card) (“PAN”) must be masked when displayed (you may only display the first six or the last four digits) and must be rendered unreadable anywhere it is stored. As a result, any stored PAN must be encrypted. Finally, you may never store authentication data after authorization, even if encrypted.
Below is a list of merchant-specific data storage practices that violate the PCI DSS:
- credit card numbers stored in custom fields (on orders or customer records)
- card security codes (CVV2/CVV/CSC/CVC/CID) stored in custom fields
- credit card numbers stored in order notes fields (Order Notes or Private Notes)
- card security codes stored in order notes fields
Please be aware that you must also remove any store mechanisms used to capture sensitive data in unapproved ways:
- order custom fields that request card numbers or security codes
- customer custom fields that store card numbers or security codes
Please delete any violating data immediately to ensure you are not breaching Volusion's Terms of Services or violating PCI DSS requirements.