Payment Card Number Security and Compliance

NetSuite is Payment Card Industry Data Security Standard (PCI DSS) level 1 compliant. Therefore, NetSuite may preserve payment card numbers. For information on the PCI DSS, see https://www.pcisecuritystandards.org.

Warning:

Only enter and maintain payment card information in secure encrypted fields available in NetSuite on the Credit Card subtab of Customer records and on transaction forms (Sales Orders, Cash Sales, Customer Deposits, Customer Payments, Customer Refunds, and Cash Refunds).

Do not enter payment card information in unencrypted fields. Entering payment card information in unencrypted fields violates the PCI Data Security Standard and may lead to payment card data theft. A punitive actions by card associations and your merchant account provider may follow, including financial penalties and a loss of payment card acceptance rights.

With the exception of entering a new card, you cannot access unmasked payment card numbers under any role unless a permission is explicitly granted. This security measure protects the customer account data against unauthorized access, fraud, and other security issues.

If you work with third-party fulfillment and logistics (3PL) companies, you may require access to unmasked payment card numbers. For example, if you want to export a customer's payment card number to a 3PL company with the customer's order. In this situation, you must use a secure method to transmit this information to the 3PL.

Displaying Unencrypted Payment Card Numbers with an Explicit Permission

To see unmasked payment card numbers, you must log in under a role with the View Unencrypted Credit Cards permission. To obtain this permission, an administrator must contact Customer Support and provide a signed agreement. Then, Customer Support activates the View Unencrypted Credit Cards permission for your account.

To see unmasked payment card numbers, you must be in Edit mode, not View mode.

If you print, send by email, or fax transactions, for example Sales Orders, payment card numbers are not displayed in unmasked form regardless of your permissions. Unmasked payment card numbers are displayed only in the following situation: you have the View Unencrypted Credit Card Numbers permission and you execute a saved search that includes payment card numbers in the results. This functionality supports 3PL relationships.

Displaying Unmasked Payment Card Number for Administrative Purposes

Certain business administrative functions require access to full unmasked payment card numbers. According to Visa U.S.A. and NetSuite's PCI auditing service, TrustWave, displaying unmasked payment card numbers in and of itself does not violate the PCI Data Security Standard or Visa U.S.A.'s CISP requirements. If you must display full card numbers, ensure that sufficient controls are in place to guarantee the security of the card number data.

The PCI 1.2.1 standard provides the following guidelines on masking the Primary Account Number (PAN), with the exception of administrative functions that require the full number:

Payment Card Numbers in Search

To ensure the security of your customers’ payment card information, search criteria based on the Credit Card Number field can only use the following operators: is empty or is not empty. This includes payment card number searches executed programmatically by using SOAP web services, SuiteScript, or SuiteFlow.

Related Topics

Accepting Credit Card Payments
Credit Card Authorization
Credit Card Processing Gateway FAQ
Customer Credit Card Processing
Maintaining Recurring Credit Card Payments
Managing Payment Holds
Order Verification Rules
Reviewing Payment Status and Sales Orders
Setting Up Customer Credit Card Processing
Setting Up Customer Credit Card Soft Descriptors
Transitioning to a New Gateway and Disabling the Old Gateway
Using CyberSource Decision Manager for Fraud Management
Viewing Customer Credit Card Transactions

General Notices