Is it OK for sales reps to collect credit card data?

secure credit card salesman token biulling

If salespeople accept credit cards, instead of writing down credit card data on paper, sales should immediately process the transaction or enter sensitive payment data into a secure payment portal to encrypt and tokenize for future use.

What’s the best practice for sales reps to collect credit card data? This question primarily pertains to business to business companies, where billing may be done later by the credit or finance department. The initial sale, and possibly future sales, requires a credit card. 

Option 1: Eliminate sales from ever touching credit card data. This can be achieved by:

  • Creating an online payment page. The customer self-creates an account and manages their payment data, including whether they want to store it.
  • Using a ‘request for payment‘ service. This is a slimmed down version of electronic bill presentment and payment ( or EBPP Lite). The user enters whatever customer data management requires, including email or mobile number, invoice number, and amount due. The customer immediately receives a link to a unique secure URL to make the payment.
  • EBPP – there are multiple methods to send an electronic invoice for the customer pay, both integrated and non-integrated. This may be less desirable for new customers

Option 2: If the salesperson physically meets with the customer, use an enterprise mobile payment solution to include card reader, point to point encryption, tokenization, and data management for both card present and card not present transactions.

It’s much harder for merchants to maintain PCI compliance while mitigating risk of losses due to disputes or fraud, when sales uses alternative methods, including paper authorization forms.

3D Merchant Services Powered by CenPOS
2633 NE 26th Ave Metro South FloridaFL33064 USA 
 • 954-942-0483

PCI Compliance Requirement: Stored Cardholder Data on Paper

For businesses that are still storing cardholder data on paper, are you really PCI Compliant? Meeting requirement 9, Restricting physical access to cardholder data,  is a lot harder than you may think. Here are some key questions you may face in the event of an audit, which is required in the event of a data breach.

locked file stored card data

  • Do you have a secure storage area exclusively for sensitive payment data?
  • Can you show an audit trail of everyone who accessed the secure area where the card data is stored, with date and time?
  • Is that area restricted to only those personnel who need access to that information?
  • Do you have a log to maintain a physical audit trail of visitor information and activity in any area that payments are processed, including visitor name and company, and the onsite personnel authorizing physical access?
  • Do you have a visitor badge system that expires for all visitors authorized to enter areas where cardholder data is processed or maintained?
  • Do you have an audit trail for the documents- created, removed from storage, and returned to storage, with names and dates?

Let’s face it, the requirements for PCI compliance are so cumbersome what merchant would want to store card data on paper? The argument that PCI Compliance paperwork takes more time for online solutions than with desktop terminals may be true, but the daily operational efficiencies and security gained far outweigh any extra paperwork.

3 Private Duty Home Health Care Provider PCI Compliance Mistakes

As a business owner, PCI Compliance, or payment card industry data security standards, should be a priority, but too often owners are given poor advice or simply haven’t found a way to fix the problem of collecting and storing credit card data. Here’s 3 major mistakes and how to fix them.

credit card authorization form healthcare

MISTAKE 1: PATIENT CARE MANAGEMENT AGREEMENT & INTAKE PAYMENT FORM- PAPER

Most companies have an intake form with terms and conditions for payment, which includes fields for credit card authorization with full card data.

Employers entrust home health care provider staff and contractors with people’s lives, so surely they can be trusted with credit card information too, right? Not necessarily. Whether intential or by mistake, there are many ways the data can be compromised, and as an owner, the penalties in the event of a breach leading to identity theft could be crippling.

  • What if the forms are left in a car  (lunch breaks, forgot to bring them in house overnight etc) , and they’re stolen?
  • How are forms returned to the home office for processing? Are those methods secured every step of the way?
  • The form needs to be cross-cut shred. If the right shredder isn’t provided for home offices, how can one be sure the employee invested in one?
  • Merchants can never store the CVV or security code. If the form is needed for any purpose, can the sensitive payment data be cut off and shred without compromising the purpose of the document?

MISTAKE 2:  RECURRING BILLING PROCEDURES

 There’s a variety of excuses why the paper form is needed to be kept on file so the card can be charged for each billing period, but all of them are baseless if the provider does their homework for alternative solutions.

  • Stored paper forms present significant risk. Cleaning staff, vendors and trusted employees all have potential access to the data. A top reason cited for data breaches is, “it was easy”, and this tops them all.
  • Businesses with up to 100 employees are at extremely high risk for identity theft.

Additionally, it’s just plain inefficient to manage billing by key entering the same card data over and over again.

MISTAKE 3:  ENTERING DATA INTO COMPUTER SOFTWARE

Gathering the data digitally has the potential to be an excellent solution to paper methods.

  • Do not allow payment data to be entered into a spreadsheet or other non-secured form.
  • Is the payment application part of the private duty software, such that the software is in scope for PCI Compliance? Does the software need to be updated? Is the full card information ever available to users? The architecture of the solution strongly influences security. (Recall Target & Neiman Marcus data breaches).
  • Entering the card data directly into a cloud payment solution that is segregated from the business application software provides the optimal security. (Users should still follow all other PCI procedures.

3 METHODS TO IMPROVE PCI COMPLIANCE WITH FIELD PERSONNEL:

  1. Encrypt data at the point of acceptance either with a secure swipe device or key entered.
  2. Directly enter payment data into a secure payment processing platform.
  3. Use tokenization. Tokenization replaces sensitive PAN (Primary Account Number) data with a unique identifier known as a token, which is useless to anyone who may intercept it.

How can the provider get a written authorization on paper, that is safe for the customer and safe for the provider? Contact us for a FREE Credit Card & ACH Authorization form make- over, that can be used in combination with safe, secure, PCI Compliant technology.

Why Government Agencies Are High Risk For Failing PCI Compliance

Why is it that government agencies are the last to get on board with cleaning up PCI Compliance risky practices? The credit card authorization form is prevalent at local, state, and federal agencies. Problems persist across all agencies from district attorney to healthcare.  What am I picking on? The print and then ‘fax or mail’ credit card authorization form with card security code which is never, ever supposed to be stored.

It’s possible that forms are being scanned after data is input, and sensitive data is masked, but it’s improbable for many government organizations because they simply do not have the resources.

Here’s 4 potential problems with this practice:

    1. The person handling the form can snap a picture with a cell phone.
    2. The form is received on a digital fax. Who can retrieve it? Is there a policy in place for destruction of the hard drive data, and is it actually followed? Are forms downloaded to individual hard drives, creating a whole new series of PCI Compliance concerns, and broadening the scope.
    3. The form may be sent to a local office instead of a lockbox. From the moment that form hits the mail, all the people that touch it are risk points.
    4. Stored payment data on computers. This practice continues to be widespread until there is a breach. On October 10, 2012, the U.S. Secret Service detected a security breach at the S.C. Department of Revenue, but it took state officials 10 days to close the attacker’s access and another six days to inform the public that 3.6 million Social Security numbers had been compromised. The attack also exposed 387,000 credit and debit card numbers. I’m not in the business of securing social security numbers so I can’t respond to that, but why the heck was there full card data to expose?
    5. Every time a human has access to card data, mail, or faxes, there is opportunity for theft.

All images shown were obtained today via publicly available information.

CREDIT CARD AUTHORIZATION FORM: Florida Health, Charlotte County.

This poorly designed form captures the security code in the middle of the page and also requires a drivers license. Card brands prohibit the last practice as being required to accept cards.

 

credit authorization form-florida charlotte county

CREDIT CARD AUTHORIZATION FORM: United States District Court District of Kansas

This form captures the security code in the middle of the page and says that it will be stored,  a violation of card acceptance and PCI Compliance rules.  Additionally, the only way another person can be authorized to use a card is if there is a power of attorney on file,  so the form may be misleading. It is possible to have multiple cards with the same number on an account, however, each card is issued to a different cardholder name.

credit card auth form kansas

CREDIT CARD AUTHORIZATION FORM: Arizona Department of Health

This form captures the security code in the middle of the page. If it’s stored,  it’s a violation of card acceptance and PCI Compliance rules. It offers a mail option to the local government office instead of a lockbox, a  riskier practice.

az-health-auth

CREDIT CARD AUTHORIZATION FORM: City of Laredo Health Department

This form has a clear policy that the sensitive payment information will be shredded. Hurray!
I recommend adding a field for the card brand and last 4 digits, that won’t be shredded.

 

credit card authrozation form AZ Dept of health

CREDIT CARD AUTHORIZATION FORM: Chatham County Public Health Department

This form has a clear policy that the sensitive payment information will be shredded. Hurray! I recommend adding a field for the card brand that won’t be shredded. The form appears to allow reuse for recurring billing since the amount is not specific, though it is not specifically stated as required by the card brands. Why isn’t the total amount known if this is for a one time transaction? If stored, I wonder where the card data will be stored once the form is destroyed? credit card authorization form chatham public health

 

RECURRING BILLING CREDIT CARD AUTHORIZATION FORM: Sample

This last form is from our technology for recurring billing authorizations. The customer can enter the payment information on a secure hosted pay page, or it can be key-entered or swiped. The custom personalized form is autuomatically generated when a new card is stored. The form is signed and both the customer and the merchant have the token ID to use for billing future charges. With the email address, the cardholder automatically gets a receipt whenever a transaction is processed.

recurring billing authorization form cenpos

By accepting payments online, merchants can reduce PCI Compliance burden. What did you think of this article? Please leave your comments.

New P2P Encryption Solution With MagTek Secure Card Readers

CenPOS, a universal payment processing platform, now supports point-to-point (P2P) encryption with MagTek retail point of sale and mobile credit card reader devices. P2P encryption and end-to-end encryption are terms often bandied about with different meanings.

In P2P encryption, the card data is encrypted at the swipe and is decrypted at another point before going on to a credit card processor. This reduces the risk of compromising data-in-flight. For example, if a merchant has a keyboard emulation card reader connected to a virtual terminal or point of sale software,  and the computer has malware, there is the risk of the card data being intercepted before getting to the next point. By opening up a text program, a person can swipe a card reader and all the data will dump onto the page, increasing internal security risk. With encryption at the card reader, any data intercepted cannot be accessed because only the intended recipient has the decryption key.

The term end-to-end encryption has become a catchall for the encryption and delivery of sensitive cardholder data from the point of sale entry point through each of the various organizations and networks in the payments process all the way to the card issuer. However, while the swipe device is clearly an end point, the destination is not. There are several points where card data may need to be opened in the process, including the merchant acquirer/ processor, card brands, loyalty card services, and the card issuer. All of which create complexities that could cause problems for an authorization approval. Thus, to ensure a higher rate of approvals, end to end encryption is  just a misnomer, as decryption usually takes place at point the sensitive data is released to the processor.

With the CenPOS SaaS and Magtek hardware solution, data is encrypted at the swipe head, decrypted at CenPOS, and then routed per the merchant rules. (Again, some companies define this as end-to-end encryption because there are no hard and fast rules defining it the payments world.) This added layer of protection can bring extra peace of mind to CenPOS merchants concerned with data security. There is no additional cost for the service, however, merchants must have devices injected with the CenPOS encyrption code at a secure POS distributor terminal facility.

magtek card readersmagtek mini swipe

Above:  compatible Magtek devices. To accept credit cards, merchants need a high speed internet connection, compatible card reader, merchant account, and a CenPOS account, which includes a virtual terminal and payment gateway, among other solutions.

Contact Christine Speedy, CenPOS sales at 954-942-0483 for additional information.

 

 

Will insurance cover data breach of credit card information? Whether or not PCI Compliant?

The typical business general liability insurance policy provides ZERO insurance coverage. A special policy referred to as Cyber Liability Insurance includes a section called Network Security coverage that protects you for both first-party and third party liabilities arising from a data breach event. In order to get the special insurance, a merchant must be PCI DSS Compliant at the time the policy is written, and attest to compliance on the insurance application.

Cyber Liability is a generic term for an insurance policy and possible coverages include identity theft from computer network data and paper files.

CRITICAL RED FLAGS:

  • Merchant doesn’t know what PCI compliance means (Payment Card Industry Data Security Standards)
  • Merchant cannot provide a copy of written policy for actively monitoring PCI compliance- and record of doing so.
  • Merchant statements contain “non-PCI Compliance validation fee”.

What if the PCI Compliance status changes during the term of the policy? This is a grey area and likely many factors will influence a decision to pay out, including how egregious the issue was that caused the breach as well as the business efforts to maintain compliance.

If a business qualifies for a discount because they have a building alarm, but then post the alarm code next to the door for everyone to see,  would the carrier be happy paying a theft claim? If a business was PCI compliant but then started accepting credit card sales via fax and stored all the forms in a file folder on someone’s desk where other employees or cleaning personnel have access to, do you think the insurance carrier might have an issue with this? What if the business made every effort to meet PCI compliance, but a key senior employee goes rogue?

Businesses can mitigate the risk of losses by data breach by outsourcing the responsibility, using third party payment processing technology, and by purchasing Cyber Liability Insurance.

Thanks to Steven Breitbart, of Cypress Insurance Fort Lauderdale, for contributing to this article.