CRM Software exists, among other things, to capture and maintain information about your customers. Credit Card Numbers can be a key component of that information, and it seems like an efficient and effective use of the CRM Software to be able to maintain your customer’s credit card data right their with all the other account information. How convenient, right? You pull up a customer’s record, and voila…there’s the credit card.
In the old days (like 2 years ago!), this was pretty much how you did it. The laws around keeping credit card information were fairly minimal. Need to capture a customer’s credit card number? Type it in a field in your database. No problem. Need their expiration date? Type that somewhere too. Need their 3 or 4 digit physical card ID? What’s that?
Today, with PCI Compliance being a watch phrase and many people scared out of their wits to keep a credit card number anywhere, things are different. We can’t just store a customer’s credit card information. You have to keep it in a PCI Compliant location. As of July 1, 2010, if you took credit cards, you needed to be compliant with PCI-DSS (Payment Card Industry Data Security Standards) requirements. Those requirements basically covered six areas – building and maintaining a secure network, protecting cardholder data, implementing “vulnerability management”, implementing strong controls for who has access to credit card data, regularly monitoring and testing network security, and having a written network information security policy. Most of our organizations don’t do a great job in these areas.
Because of these requirements, many standard software packages (including the majority of CRM software packages) omit out of the box fields for credit card information. In addition, if you add custom fields for this data (which is easy in software like SugarCRM), you will likely be out of compliance with the PCI-DSS requirements. What to do?
In large part, due to the advance of the internet and the increasing regulations around credit cards, online credit card processors like Authorize.Net have become more and more popular. This is mainly because they address many of the issues surrounding credit card processing today – security, ease of use, and accessibility to name a few. The solution, then, to all of this is to try to have the best of both worlds – have access to your credit card data from within your CRM Software and also have your credit card data stored in a secure, PCI Compliant location.
One of the advantages of software like SugarCRM is its flexibility and the ease with which we can build integration with other products and services. Accordingly, we recently developed integration between SugarCRM and Authorize.Net. This integration lets users maintain credit card information for each account in Sugar. In addition, if entering a quote or an order, SugarCRM users can also authorize and/or charge against that credit card as well. All of this is done in a 100% secure fashion, completely consistent with existing rules and regulations, but at the same time providing efficiency and ease of use for Sugar users when they need to look up or process credit card data.
Credit Card regulations have tried to keep us from integrating credit card data with our CRM Software. However, thorny problems beget creative solutions. With SugarCRM, there is now a way to efficiently maintain and process credit card data in a compliant fashion.