Keep only what you need for your business.
- Use Social Security numbers only for required and lawful purposes. Don’t use SSNs as employee identifiers or customer locators.
- Keep customer credit card information only if you have a business need for it, and ensure stored information is in accordance with Payment Card Industry Data Security Standards (PCI-DSS).
- Review the forms you use to gather data — like credit applications and fill-in-the-blank web screens for potential customers — and revise them to eliminate requests for information you don’t need.
- Change the default settings on your software that reads customers’ credit cards. Don’t keep information you don’t need.
- Truncate the account information on electronically printed credit and debit card receipts you give your customers. You may include no more than the last five digits of the card number, and you must delete the card’s expiration date.
- Develop a written records retention policy, especially if you must keep information for business reasons or to comply with the law.