Sensitive data guidelines and Best Practices

Updated on 20-October-2016 at 10:16 AM

PCI Compliance

Business Catalyst is PCI compliant and does not store Card Holder Data. If you have setup a payment gateway, Credit Card processing is handled on their end - you will need to consult your payment gateway provider for specific information on how they handle Credit Card information. Although the Process Offline payment gateway is an inbuilt feature, Business Catalyst does not store Credit Card information or archive PDFs containing Credit Card information. Furthermore, we also do not collect CVV, CVV2, CVC2 & CID information as per PCI standards when using this payment gateway.

A PCI compliance certificate may sometimes be requested by specific payment gateway providers. If you require such a PCI compliance certificate, please reach out to Business Catalyst support. 

Storing Sensitive Data

As a best practice, Business Catalyst does not recommend storing sensitive personally identifiable data within the CRM. Sensitive data may include, but is not limited to, the following:

  • Credit Card Information (including CCV numbers)
  • Government-issued identification or registration information
  • Financial Account Details
  • Health and Medical Records
  • Ethnicity, race, religious, political, biometric, background check or criminal history information
  • Other personal data that can be used to facilitate identity theft

If you decide to store sensitive data, it is entirely your responsibility to properly secure it.

You can ensure that only authorized users have access to sensitive data by modifying user permissions . Data stored in the CRM can also be accessed via API so you must ensure you modify user permissions appropriately.

If sensitive data is stored within the CRM of your site, it is strongly recommended that you only access the admin console of your site using the Secure URL over a https:// connection.

Security Recommendations for Processing Payments

Consider the following security recommendations mentioned in this article when processing payments.