Incorrectly Storing Credit Card Data
BigCommerce is a PCI-DSS Level 1 Service Provider, as such our storage of Account Data is audited annually by a Qualified Security Assessor (QSA).
The Payment Card Industry Data Security Standard defines Account Data in the following way;
- Cardholder Data
- Primary Account Number
- Cardholder Name
- Expiration Date
- Sensitive Authentication Data
- Security Code (CVV)
While the standard does have a provision for the storage of Cardholder Data prior to the completion of the credit transaction, it does not make allowance for the storage of Sensitive Authentication Data.
However, to reduce exposure of Cardholder Data, it is BigCommerce policy to not store any Account Data.
BigCommerce performs ongoing security scans to ensure compliance with the data security across our platform. If a merchant is storing data that violates any of the policy mentioned above, the data will be expunged and the merchant will be alerted of the violation.
If you have a requirement to store customer credit card data for recurring billing purposes, there are recurring billing applications such as Rebillia, available in the BigCommerce app marketplace that can satisfy this requirement.