Payment Data Security: What Dealerships Get Wrong

Dealerships handle sensitive payment data every day. Credit card numbers, bank accounts, customer information — all flowing through your systems.

Most dealerships think they're secure. Many have significant vulnerabilities they don't know about.

Here are the security mistakes we see most often, and how to fix them.

Mistake #1: Writing Down Card Numbers

The Problem

Customer calls to pay over the phone. Staff writes the card number on a sticky note. Transaction processed. Sticky note sits on desk. Or gets thrown in trash. Or filed with paperwork.

That card number is now exposed.

Why It Matters

PCI violation: Writing full card numbers is explicitly prohibited.

Liability: If that number is compromised, you're responsible.

Fines: PCI non-compliance can mean fines up to $100,000/month.

The Fix

For phone payments:

• Use virtual terminal with direct entry (no writing)
• Use payment links sent to customer
• Use automated phone payment system

Never write down:

• Full card numbers
• CVV codes
• Expiration dates

If you must record something temporarily, destroy it immediately after the transaction.

Mistake #2: Storing Card Data Unsafely

The Problem

Card numbers in spreadsheets. Card images saved in email. Customer cards "on file" in a notebook or text file.

All of this is unsafe and non-compliant.

Why It Matters

Data breach risk: Stored card data is a target for hackers.

PCI violation: Card data storage has strict requirements most dealers can't meet.

Breach costs: Average data breach costs hundreds of thousands of dollars.

The Fix

Don't store card data yourself.

If you need cards on file for recurring charges:

• Use your processor's secure vault
• Use tokenization (store a token, not the card)
• Let the secure systems handle storage

Delete any card data you've stored outside secure systems.

Mistake #3: Sharing Passwords

The Problem

Everyone uses the same terminal password. Login credentials passed around. "Just use my login to process that."

Why It Matters

No accountability: When something goes wrong, who did it?

Access creep: Former employees may still have access.

Audit failure: Auditors look for individual accountability.

The Fix

Individual logins for everyone:

• Each user has unique credentials
• Access tied to role
• Terminated employees immediately removed

Password requirements:

• Unique, not shared
• Changed regularly (or use single sign-on)
• Never written where visible

Mistake #4: Insecure Network

The Problem

Payment terminals on same network as guest WiFi. No firewall between internet and internal systems. Security software outdated or absent.

Why It Matters

Easy targets: Hackers look for unsecured networks.

Lateral movement: Once in, attacker can reach payment systems.

Malware risk: Infected devices can spread to terminals.

The Fix

Network segmentation:

• Payment systems on isolated network segment
• Guest WiFi completely separate
• Firewalls between segments

Security basics:

• Firewalls configured and monitored
• Anti-malware on all systems
• Regular security updates applied

Consider a professional assessment if you're not sure about your network security.

Mistake #5: No PCI Compliance Program

The Problem

PCI DSS compliance is required for all businesses that handle card payments. Many dealerships don't know this, don't track compliance, or don't complete required self-assessments.

Why It Matters

Merchant agreement requirement: Your processor requires PCI compliance.

Liability shift: Non-compliance means you bear breach costs.

Fees: Many processors charge non-compliance fees monthly.

The Fix

Understand your PCI level:

• Most dealerships are Level 4 (lowest volume)
• Required: annual self-assessment questionnaire (SAQ)
• Required: quarterly network scans (if applicable)

Complete your SAQ:

• Work with your processor or a Qualified Security Assessor
• Identify gaps and fix them
• Document compliance

Maintain ongoing:

• Annual re-certification
• Address any issues promptly

Mistake #6: Untrained Staff

The Problem

Staff don't know security best practices. They do what's convenient, not what's secure. Nobody told them what "not to do."

Why It Matters

Human error is #1 risk: Most breaches involve human mistakes.

Social engineering: Staff may be tricked into giving access.

Innocent mistakes: Writing down a card number isn't malicious, but it's still a violation.

The Fix

Security training for all payment-handling staff:

• What data is sensitive
• How to handle it properly
• What NOT to do
• How to recognize suspicious activity

Regular refreshers:

• Annual at minimum
• After any security incident
• When processes change

Mistake #7: Outdated Equipment

The Problem

Old terminals with outdated software. Payment applications not patched. Systems no longer supported by vendors.

Why It Matters

Known vulnerabilities: Old software has known security holes.

No patches: Unsupported systems don't get security fixes.

Compliance issues: PCI requires current, supported software.

The Fix

Keep systems current:

• Apply security patches promptly
• Update terminal software when released
• Replace end-of-life equipment

Inventory your systems:

• What terminals do you have?
• What software versions?
• When is support ending?

Mistake #8: No Incident Response Plan

The Problem

If a breach happens, who do you call? What do you do? Most dealerships have no plan.

Why It Matters

Time is critical: Response speed limits damage.

Legal requirements: You may have notification obligations.

Chaos makes it worse: Uncoordinated response causes more problems.

The Fix

Create a simple plan:

• Who to contact (processor, IT, legal)
• Immediate steps (isolate affected systems)
• Communication procedures
• Documentation requirements

Test the plan:

• Tabletop exercise annually
• Ensure contact info is current
• Everyone knows their role

Mistake #9: Physical Security Gaps

The Problem

Terminals accessible to anyone. Server room unlocked. Paper receipts in open trash.

Why It Matters

Physical access = full access: If someone can touch your terminal, they can compromise it.

Card skimmers: Criminals install devices on accessible terminals.

Dumpster diving: Discarded paper can contain card data.

The Fix

Terminal security:

• Terminals secured when unattended
• Regular inspection for tampering
• Staff trained to notice changes

Server/network security:

• Locked room for network equipment
• Access limited to authorized personnel
• Logged access

Paper handling:

• Shred any paper with card data
• Secure disposal of documents
• Don't leave receipts visible

Mistake #10: Assuming "It Won't Happen to Us"

The Problem

"We're just a dealership." "Hackers go after big companies." "We've never had a problem."

Why It Matters

Small businesses are targets: 43% of cyberattacks target small businesses.

Lower defenses: Criminals know small businesses have less security.

Consequences are real: Breach costs can be business-ending for smaller operations.

The Fix

Take security seriously:

• It's a real risk, not theoretical
• Invest appropriately in protection
• Make it part of operations, not an afterthought

Quick Security Checklist

Card Handling: ☐ No card numbers written down ☐ No card data stored outside secure vault ☐ CVV never retained

Access Control: ☐ Individual logins for all users ☐ Passwords unique and secure ☐ Terminated employee access removed immediately

Network Security: ☐ Payment systems on isolated network ☐ Firewall properly configured ☐ Security software current

PCI Compliance: ☐ SAQ completed annually ☐ Quarterly scans completed (if required) ☐ Compliance documentation maintained

Physical Security: ☐ Terminals secured when unattended ☐ Paper with card data shredded ☐ Network equipment in locked area

Training: ☐ All staff trained on security basics ☐ Refreshers conducted regularly ☐ Staff knows what to report

---

Secure Your Payment Processing →

Anchorbase helps dealerships maintain secure, compliant payment processing. From tokenization to PCI compliance support, we help you protect your business and your customers.