Payment Card Number Security and Compliance
NetSuite is Payment Card Industry Data Security Standard (PCI DSS) level 1 compliant. Therefore, NetSuite may preserve payment card numbers. For information on the PCI DSS, see https://www.pcisecuritystandards.org.
Only enter and maintain payment card information in secure encrypted fields available in NetSuite on the Credit Card subtab of Customer records and on transaction forms (Sales Orders, Cash Sales, Customer Deposits, Customer Payments, Customer Refunds, and Cash Refunds).
Do not enter payment card information in unencrypted fields. Entering payment card information in unencrypted fields violates the PCI Data Security Standard and may lead to payment card data theft. Punitive actions by card associations and your merchant account provider may follow, including financial penalties and a loss of payment card acceptance rights.
With the exception of entering a new card, you cannot access unmasked payment card numbers under any role unless a permission is explicitly granted. This security measure protects the customer account data against unauthorized access, fraud, and other security issues.
If you work with third-party fulfillment and logistics (3PL) companies, you may require access to unmasked payment card numbers. For example, if you want to export a customer's payment card number to a 3PL company with the customer's order. In this situation, you must use a secure method to transmit this information to the 3PL.
Displaying Unencrypted Payment Card Numbers with an Explicit Permission
To see unmasked payment card numbers, you must log in under a role with the View Unencrypted Credit Cards permission. To obtain this permission, an administrator must contact Customer Support and provide a signed agreement. Then, Customer Support activates the View Unencrypted Credit Cards permission for your account.
If you print, send by email, or fax transactions, for example Sales Orders, payment card numbers are not displayed in unmasked form regardless of your permissions. Unmasked payment card numbers are displayed only in the following situation: you have the View Unencrypted Credit Card Numbers permission and you execute a saved search that includes payment card numbers in the results. This functionality supports 3PL relationships.
Displaying Unmasked Payment Card Number for Administrative Purposes
Certain business administrative functions require access to full unmasked payment card numbers. According to Visa U.S.A. and the NetSuite PCI auditing service, TrustWave, displaying unmasked payment card numbers in and of itself does not violate the PCI Data Security Standard or Visa U.S.A.'s CISP requirements. If you must display full card numbers, ensure that sufficient controls are in place to guarantee the security of the card number data.
The PCI Data Security Standard 3.2.1 provides the following guidelines on masking the Primary Account Number (PAN), with the exception of administrative functions that require the full number:
-
"Requirement 3: concerns protection of stored data; specifically primary account numbers, or PANs, and sensitive authentication data, or SAD, using methods that include hashing truncation, and/or encryption. The main goal of this requirement is to minimize all risks associated with the storage of cardholder data. Mainly, if the data is not needed, DO NOT STORE IT."
-
"3.3 relates to masking PAN numbers when displayed, such as on screens or when printed in reports or receipts. "Masking" involves "hiding" the middle digits of the PAN, so that a maximum of first six and last four digits is all that is displayed. This requirement relates to the protection of PAN numbers displayed on screens, paper receipts, etc., and is not to be confused with Requirement 3.4 for protection of the PAN when stored in files, databases, etc."
Payment Card Numbers in Search
To ensure the security of your customers’ payment card information, search criteria based on the Credit Card Number field can only use the following operators: is empty or is not empty. This includes payment card number searches executed programmatically by using SOAP web services, SuiteScript, or SuiteFlow.
Related Topics
- Accepting Credit Card Payments
- Credit Card Authorization
-
Credit Card Processing Gateway FAQ
- Customer Credit Card Processing
- Maintaining Recurring Credit Card Payments
- Managing Payment Holds
- Order Verification Rules
- Reviewing Payment Status and Sales Orders
- Setting Up Customer Credit Card Processing
- Setting Up Customer Credit Card Soft Descriptors
- Transitioning to a New Gateway and Disabling the Old Gateway
- Using CyberSource Decision Manager for Fraud Management
- Viewing Customer Credit Card Transactions