Overview

Using Cloud Retailer may seem like a convenient place to store Credit Card numbers for recurring payments, but due to the highly-sensitive nature of payment data, that is not the case!  This article will lay out why Cloud Retailer is NOT a good choice for storing this information and give you some info about what steps to take next.

Why you should not store Credit Card data in Cloud Retailer

1. All security-sensitive fields, such as passwords and authentication data are properly secured, however, common data entry fields, such as Customer Notes are NOT secured within our system, as such they are stored as plain-text and likely have no additional access-security in place. 
2. The PCI Compliance Security Console has declared that all Primary Account Numbers (CC Numbers) be encrypted when stored within any type of system.  Additionally, Sensitive Authentication Data (such as CVV or PIN) can NEVER be stored.  Please see the links under references for more information on these standards.
3. Our Cloud Retailer Terms of Service, specifically items 17 and 18 under Prohibited Activities, expressly call out storage of Cardholder data within our system. 

How we help you stay secure

We are constantly working on proactive security and safety measure within Cloud Retailer.  As such, we do perform routine scans of each Cloud Retailer instance to flag possible data security issues, including storage of Cardholder data.

If we detect that sensitive data has been found within your instance of Cloud Retailer, our support team will reach out to your business owner or technical contact with a plan of action to move the data from Cloud Retailer to another system that specializes in storage of Cardholder data (see below).

If I cannot store Credit Card data in Cloud Retailer, what should I use?

This is a tricky topic.  As with many things related to PCI security, the answer relies on many factors.  Even if we were to endorse any given software, which we do not, it still very much up to how you use the software within your environment.  Your Credit Card processor should have the best advice for what to use with your given needs and situation.

References

• Cloud Retailer Terms of Service
• [PCI Standards Organization] https://listings.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf
• [PCI Compliance Guide] https://www.pcicomplianceguide.org/how-does-taking-credit-cards-by-phone-work-with-pci/