Can you recommend a PCI Compliant policy for storing credit cards?

Distributors and manufacturers can overcome PCI Compliance issues with better awareness of rules, and cost efficient solutions to ease PCI burden. A review of key problems and solutions will help companies with internal credit card authorization and storage policies. For credit card processing, a virtual terminal or integrated gateway, is the only cost efficient and secure option for these business types.

It’s never Ok to store credit card forms that have the CVV2, or security code, on them. It’s also never Ok to store CVV2 electronically in any format, encrypted or not. This is both a card acceptance and PCI Compliance 3.0, section 3 Protect Cardholder Data, problem. For any recurring charges, including variable, merchants only need to validate the CVV one time for a fraud check, and then never again. This is easily accomplished with a zero dollar authorization, however not all gateways support this feature.

The best paper credit card authorization form, is one that doesn’t have full card data, or better yet, doesn’t exist at all. If sales reps in the field are getting card numbers to be charged later, consider a mobile payment app that let’s them swipe and create a token, using a P2P encrypted reader. That way card data is never exposed at any point in time. Instead of getting card numbers over the phone, empower customers to self pay or store card data using online payment solutions, including either a hosted online pay page or electronic bill presentment and payment (EBPP). Use this to also eliminate credit card data in emails, which is another PCI Compliance problem.

Need to keep a card stored on file that you initiate charges on? It’s indefensible with today’s technology to have credit card data on paper, and it’s risky to use your own encrypted media. Tokenization, a payment gateway service for merchants to remove sensitive data from their environments, is the best practice for security and PCI Compliance.

Some businesses want a signature on file. A sales receipt is generated with almost any online payment solution and merchants can require a customer to print and sign it, or to simply forward the email receipt from company email address with typed name approving it. For recurring billing, choose a payment gateway that generates a PCI Compliant recurring billing authorization form. They’re useless if stolen, and contain all the right language for credit card authorization. It should be supplemented by a signed document with your own custom business terms and conditions, and limitations for duration and maximum charge amounts allowed. Merchants might also get a signed sales order with all terms and conditions, plus the token ID the customer has agreed you’ll charge to.

Third-party credit card authorization doesn’t exist as far as card issuers are concerned. It’s specifically written in the cardholder terms that they cannot allow any third party to use their card. Any form a merchant creates authorizing other parties is at risk for future disputes. The merchant can eliminate the risk by having the company issue purchasing cards for each buyer, or mitigate risk by sending the sales receipt automatically to the cardholder and asking the buyer to confirm receipt per T’s & C’s.

A huge problem is managing old stored data created prior to new PCI Compliance rules. The reality is, the merchant is not PCI Compliant as long as the old stuff exists. That likely means someone will need to be assigned to identify all the past ways that credit card numbers were captured. For electronic, IT will need to get involved to securely remove old data. There are tools to search emails and servers for card data as well.

PCI 3.0, in effect now, requires merchants not only are PCI compliant at a point in time, but that there’s a plan in place for monitoring and inspecting. Whoever is cleaning up the old problems should document who, what, where, how and when activities were identified and or completed, and continually add this to the master PCI file.

References:

Payment Card Industry (PCI) Data Security Standard, v3.1, pg 36 CVV
Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form

 

3D Merchant Services Powered by CenPOS
2633 NE 26th Ave Metro South FloridaFL33064 USA 
 • 954-942-0483

Video: PCI Compliant credit card authorization forms

Token billing solves the problem of storing credit card data for recurring billing customers, but that doesn’t fix the merchant problem of replacing credit card authorization forms.

Video Transcript: Meet Mary.  She manages accounts receivable. The problem is credit card security. Customer approval is needed for accounts on file. Image credit card authorization form. But there’s no secure way to store the authorization without also storing the credit card number and security code.

Until now. Introducing 3D Merchant Services. Cloud payment solutions that work with YOUR financial partners. Here’s how it works. Create a token. Image iphone, computer with virtual terminal screen, batch upload, point of sale, and integrated solutions. Anywhere.  Or have customers create and manage their own. Electronic bill presentment and payment, ecommerce, online payments. And then, for every token created, a prefilled form is automatically created! PCI DSS compliant.

Charge cards in seconds. Rocket blasting. ACH? Ditto. Efficient, secure, processor neutral, Level III processing, YES.

Call 3D Merchant Services 954-942-0483 for a demo and free trial.

Author: Christine Speedy. “PCI compliance is virtually impossible without a technology solution.  The right payment gateway selection is critical to merchant success and reduced PCI burden.”

 

You completed PCI Rapid Comply, what’s next?

irst Data pci rapid comply

Screenshot of PCI Rapid Comply by First Data home page

You’ve completed the online forms at PCI Rapid comply, what’s next? By now you already know that PCI is not a quarterly or annual event.

First, If you received notice of noncompliance, print the web page shown above and send to your merchant processor relationship manager to stop recurring non-compliance fees, if applicable.

Next, go to MY DOCUMENTS and download everything. These are starter documents to help you with compliance, but you’ll need to modify and add some information.

pci-rapidcomply-docsFor example, on the incident response form, you’ll need to add the responsible names and contact information.

The security policy should be reviewed and disseminated to all employees that touch payments, and are involved in network security. I recommend HR manage the confirmed receipt as part of employee performance reviews. You may want to create a test to validate employee understanding, and record the date and time of completion to prove compliance.

  • The Risk Management Guide has a number of blanks to fill in. If you have retail transactions, you’ll need to create a monitoring and inspection program, which includes serial numbers and locations of all equipment.
  • Enter network administrator and payment administration on the access control guide. If you’re a CenPOS user, most of this requirement is managed with CenPOS Roles & user management.
  • Maintaining and monitoring your program is a critical component of PCI 3.0. If you don’t currently have a compliance officer, create accountability by assigning someone to ensure monitoring is completed on schedule.

About PCI Rapid Comply: PCI Rapid Comply is a First Data service available to all their merchants. First Data merchants can use this or a third party service of their choice.

About 3D Merchant Services author Christine Speedy: Offers payment gateway and cloud solutions to reduce scope and PCI Compliance burden. No new merchant account is required, however merchant services are available upon request. PCI Rapid Comply is available to merchant clients on select processor platforms, at no additional fee.

 

PCI SECURITY STANDARDS COUNCIL PUBLISHES SECURITY AWARENESS GUIDANCE

pci security awareness guideOctober 30, 2014. In order for an organization to comply with PCI DSS Requirement 12.6, a formal security awareness program must be in place. There are many aspects to consider when meeting this requirement to develop or revitalize such a program. The best practices included in this information supplement are intended to be a starting point for organizations without a program in place,or as a minimum benchmark for those with existing programs that require revisions. Best Practices for Implementing Security Awareness Program v1.0, 25 pg PDF recommended for IT and PCI compliance leaders.

One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead to security incidents.

The free guidance will help merchants establish security standards in their business.