What’s in Their Wallets?

Your customers trust you with their credit card numbers. Expert lays out a plan to safeguard their information and protect your store in the event of a Target-style data breach.

March 2014, Auto Dealer Today - Feature

by Chad DeKing

Having customers swipe their own credit cards is one of several steps you can take to help safeguard their personal data — and your dealership. 
Having customers swipe their own credit cards is one of several steps you can take to help safeguard their personal data — and your dealership. 
The news lately has been dominated by headlines about credit cards; specifically, the very real risks associated with how credit card transactions and data are handled by businesses. In December, we learned that millions of Target shoppers’ card numbers might have been compromised by a massive data breach. This is an ideal time for dealers to collectively examine the risks and best practices of payment transactions.

Because the automotive industry conducts most of its service business with credit cards, it is imperative that dealers better manage the risks associated with them, and become more intimately familiar with Payment Card Industry (PCI) standards and best practices. It is no small subject. However, as with most things, a review of the fundamentals is the best place to start to help your staff become more security conscious.
Security Standards

The Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006 to manage the ongoing evolution of PCI compliance. The council had a singular goal of improving payment account security throughout the transaction process. Visa, MasterCard, American Express, Discover and Japan Credit Bureau (JCB) founded the PCI SSC to work with banks, merchants and payment industry suppliers to develop and implement security standards. The Payment Card Industry Data Security Standard emerged from that process. PCI DSS is designed to ensure all companies that process, store or transmit credit card information maintain a secure environment.

Every dealer should be concerned about PCI DSS. If a security breach occurs and credit card information is stolen, the dealership and any of its suppliers that interact with the credit card data are responsible — and accountable — for the breach. The payment brands may, at their discretion, fine the bank that underwrites the dealership’s payment processing, which can be thousands of dollars per month for PCI compliance violations. The bank would most likely pass those fines downstream until they eventually hit the dealership and its owners. The bank also could choose to significantly increase the store’s transaction fees or even terminate their relationship with the dealer.

Penalties are not often openly discussed or widely publicized, but they could be catastrophic to a dealership. Even more important is the impact on your customers. They will most certainly question whether they should choose to do business with you again, and bad news travels quickly.
Ensuring your dealership consistently maintains strict PCI compliance can be a complex process; however, implementing four PCI best practices can make it much simpler:

Never store credit card information. That file drawer or computer folder containing credit card numbers places your dealership at tremendous risk. Never keep a customer’s credit card number in any format, be it electronic or paper.

Never ask your employees to handle a credit card. The moment an employee takes possession of a customer’s credit card — even just to swipe it through a payment terminal — you have granted that employee access to sensitive cardholder data. Your customers should swipe their own cards.

Never store credit card information in your own system. Suppliers within the payment card industry can take the responsibility for processing credit card data and storing cardholder data if necessary; when you store the data on your own system, your risk increases significantly.

Select a PCI-certified supplier. As of July 2010, the PCI SSC requires all merchants using third-party software to validate that their suppliers’ applications are PCI-certified. Look for payment systems which utilize updated security methods such as tokenization and end-to-end encryption.

All dealers accept credit cards. As a result, you take on the risks and responsibilities associated with processing those transactions. The starting point for ensuring your store is adequately shielded from these risks is to become familiar with the PCI standards and make PCI compliance part of your day-to-day operations. Use payment industry suppliers that reduce your risk as much as possible so that you can stick to what you do best: selling and servicing vehicles.

Chad DeKing is the managing partner of SwervePay Sales & Service LLC. He has more than 30 years of experience with expertise in the convergence of technology, operational data and customer data.


  1. 1. Kyle Merritt [ February 12, 2015 @ 07:13PM ]

    My dealership, daily..SEVERAL TIMES A DAY allows our sales staff to take credit card numbers ia phone without proper customer authorizations (proper paper form that can be faxed or e-mailed to client for their approval and verification). These transactions are primarily used to "HOLD" certain auto's until said client can visit store and properly execute a purchase transaction. I have tried to introduce this card payment processing authorization but have been "rebuffed" because it is "too much work" We have had complaints about unauthorized charges, and these salespeople routinely hold onto "post-it's" with credit card numbers on them, write these vard numbers on manila file folders that contain other sensitive doc's, etc. I would appreciate input on card taking (vi phone) best practices, and any advice you can muster for a proper transaction.


Your Comment

Please note that comments may be moderated. 
Leave this field empty:
Your Name:  
Your Email:  



Jim Ziegler
Stupid Is as Stupid Does

By Jim Ziegler
The Alpha Dawg charts the brief rise and long fall of Johan de Nysschen, the recently departed president of Cadillac and author of the business plan that effectively crowned Lincoln as the new king of American luxury.

They Finally Killed Somebody

By Jim Ziegler
Ziegler believes Uber’s directors should face criminal charges for their role in an Arizona woman’s violent death.

20 Things a GM Must Do Every Week

By Jim Ziegler

All Things Must Pass

By Jim Ziegler

Opening Observations

They Took Cadillac for a Ride

By Tariq Kamal
Hindsight is 20/20, but at least one industry member saw GM’s latest mishap coming a mile away.

Stand Up and Be Counted

By Tariq Kamal
The Dealers’ Choice Awards are the Yelp of vendors and finance sources.

Over the Curb

This Is Us: Dealer Edition

By Jason Heard
Heard knows delegation and outsourcing are the quickest path to a work-life balance.