Looking for a PCI Compliant Credit card authorization form template? Downloadable PDF or Word forms all over the internet are never PCI compliant nor compliant with card network rules, plus the form might introduce malicious code into your network, leading to a future data breach. In this article learn about compliant credit card authorization form problems and solutions.
Merchants must replace traditional paper credit card authorization forms. Per Visa rules, merchants are never allowed to ask for the security code in any written form. I know companies that are skirting this rule by using a paper form and then calling the customer for the security code. They are stuck on the idea that a signature is going to make a difference if there is a dispute later, which was true in the past but not any more. Merchants also cannot store the form with full card numbers nor store the security code after authorization. Traditional credit card authorization forms increase risk of fraud and identity theft and nobody likes them!
Is it OK to use a digital credit card authorization form? That depends. Cloud digital credit card authorization forms may not be PCI compliant.
The rise in digital credit card authorization forms is downright scary, because despite claims by sellers, merchant implementation of them is often not PCI Compliant. Here’s a few reasons why:
- Neither merchants nor third parties can store the security code after authorization.
- Neither merchants nor third parties can store the card number unmasked after authorization.
- Merchants will be hard pressed to prove PCI Compliance in the event of a data breach. Who had access to the forms and when? How is the server wiped of the data? What about back up servers?
- What’s the point of getting a signed form if you can’t save it?
- If the service offers an authorization to verify cardholder, but the merchant then types card number into another system with no connection to the initial verification, all subsequent transactions are in violation of rules for storing and using stored cards thus are open to issuer chargeback risk.
What’s a better solution? Use a third party hosted solution to reduce PCI Compliance burden and empower customers to self-pay and self-store their cardholder data. Ensure that the solution supports 3-D Secure, which shifts friendly fraud (it wasn’t me, I didn’t authorize it) liability to the issuer. This could be a static pay page or secure link you push out via text or email. My CenPOS customers have had this solution for nearly a decade.
Benefits of compliant solution:
- Reduced merchant fees for some cards (3-D Secure cardholder authentication such as Verified by Visa must be enabled.)
- Increased approvals with cardholder authentication.
- Mitigate chargeback risk – with 3-D Secure cardholder authentication, fraud liability shifts to issuer.
- More convenient for buyers- 24/7 payments on their schedule, not yours.
- Buyers are in control of choosing to store payment methods.
How can merchants get 3-D Secure? Contact us for the latest instructions or call your merchant services provider.
See also Visa Stored Credential Mandate & Framework – Improving Authorization Management for Transactions with Stored Credentials.
Call Christine Speedy, PCI Council QIR certified, for simple solutions to card not present payment transaction problems, 954-942-0483, 9-5 ET.
References: Search the blog for credential or form or click on the navigation for links for more resources on rules and compliance.