medical billing forms with credit card option and PCI DSS

Nearly all the medical bills I see now have an option to pay with a credit card. These forms also request the security code (CVV, CVV2) on the form. Should merchants ask for it? Is it legal? Is it safe? What are they doing with these forms?  I’m personally not writing down my 3 digit security code on any form and returning that through the mail.

Should medical billing companies ask for the card security code on mail response forms?  NO. The CVV is not needed for interchange qualification; it has zero impact on your processing costs. It is used to protect against fraud, especially cloned credit cards. If the customer has already used their card to swipe, the CVV is no longer needed for rebilling. But that’s not something the biller knows.

According to Visa’s Ecommerce Risk Management Guide dated December 2009, for information security purposes, all merchants are prohibited from storing Card Verification Value 2 (CVV2). Per Visa’s Data Security Tips, “Do not store the three-digit number on the back of Visa payment cards (CVV2) in any format. Do not request the CVV2 number on mail-order forms or billing forms.

Per a merchant processor RULES ON MOTO/INTERNET, You (the merchant) are prohibited from storing CVV2, CVC2, magnetic stripe track data, and AVS and PIN data. Each party will store all media containing Cardholder numbers in an area limited to selected personnel on a ‘need to know’ basis only and prior to either party discarding any material containing cardholder information, the party will destroy it in a manner rendering the Card account numbers unreadable.

MERCHANT QUESTIONS:

What if my payment processing system requires a CVV to process a credit card transaction? You need an alternative solution to input transactions. You’re required to ask for the security code on internet transactions, but not on mail order. Call and we can set you up quickly with a virtual terminal.