Monday, April 16, 2012

Credit card info

My business set up its credit card billing process a number of years ago. To keep it simple, we have the credit cards kept exclusively at our vendor who bills them monthly.  Now that we are a large firm, we are trying to plan for disaster recovery and identify points of failure.  A clear single point of failure is the small company that is our ISO who has all the credit card data.  How do we address the risk of them failing, failing to perform, or doing something corrupt for which we will be billed?

Frankly, the realistic risk is that they might go out of business and our credit card billing which is nearly half a million a month (over $30K daily!) fails to get processed and we have no method for recovering the card data and moving them elsewhere.

One of my goals this quarter is to consider the legal and practical issues in this situation and try to address them.  Any info or experience from anyone else who has faced this situation would be appreciated!


Jestep said...
This comment has been removed by the author.
Jestep said...

Use a 3rd party gateway and storage vault, which will segment your data from your processor. It may be difficult to find, but there's a variety of gateways that can use most processor front-ends.

Realistically, even a small ISO, has multiple levels of failure prevention. Their processor (Global, FDR, Chase, etc...) and acquiring bank are virtually insolvent-proof so disruption of service would be extremely unlikely. With that being said, good luck getting anything out those organizations no matter the circumstances.