NetSuite is Payment Card Industry Data Security Standard (PCI DSS) level 1 compliant. Therefore, NetSuite may preserve payment card numbers. For information on the PCI DSS, see https://www.pcisecuritystandards.org.
Only enter and maintain payment card information in secure encrypted fields available in NetSuite on the Credit Card subtab of Customer records and on transaction forms (Sales Orders, Cash Sales, Customer Deposits, Customer Payments, Customer Refunds, and Cash Refunds).
Do not enter payment card information in unencrypted fields. Entering payment card information in unencrypted fields violates the PCI Data Security Standard and may lead to payment card data theft. A punitive actions by card associations and your merchant account provider may follow, including financial penalties and a loss of payment card acceptance rights.
With the exception of entering a new card, you cannot access unmasked payment card numbers under any role unless a permission is explicitly granted. This security measure protects the customer account data against unauthorized access, fraud, and other security issues.
If you work with third-party fulfillment and logistics (3PL) companies, you may require access to unmasked payment card numbers. For example, if you want to export a customer's payment card number to a 3PL company with the customer's order. In this situation, you must use a secure method to transmit this information to the 3PL.
Displaying Unencrypted Payment Card Numbers with an Explicit Permission
To see unmasked payment card numbers, you must log in under a role with the View Unencrypted Credit Cards permission. To obtain this permission, an administrator must contact Customer Support and provide a signed agreement. Then, Customer Support activates the View Unencrypted Credit Cards permission for your account.
To see unmasked payment card numbers, you must be in Edit mode, not View mode.
If you print, send by email, or fax transactions, for example Sales Orders, payment card numbers are not displayed in unmasked form regardless of your permissions. Unmasked payment card numbers are displayed only in the following situation: you have the View Unencrypted Credit Card Numbers permission and you execute a saved search that includes payment card numbers in the results. This functionality supports 3PL relationships.
Displaying Unmasked Payment Card Number for Administrative Purposes
Certain business administrative functions require access to full unmasked payment card numbers. According to Visa U.S.A. and NetSuite's PCI auditing service, TrustWave, displaying unmasked payment card numbers in and of itself does not violate the PCI Data Security Standard or Visa U.S.A.'s CISP requirements. If you must display full card numbers, ensure that sufficient controls are in place to guarantee the security of the card number data.
The PCI 1.2.1 standard provides the following guidelines on masking the Primary Account Number (PAN), with the exception of administrative functions that require the full number:
“Requirement 3: Protect stored cardholder data. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails.”
“3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). Note: This requirement does not apply to employees and other parties with a specific need to see the full PAN. This requirement does not supersede stricter requirements in place for displays of cardholder data (for example, for point of sale [POS] receipts).”
Payment Card Numbers in Search
To ensure the security of your customers’ payment card information, search criteria based on the Credit Card Number field can only use the following operators: is empty or is not empty. This includes payment card number searches executed programmatically by using SOAP web services, SuiteScript, or SuiteFlow.