Why is it that government agencies are the last to get on board with cleaning up PCI Compliance risky practices? The credit card authorization form is prevalent at local, state, and federal agencies. Problems persist across all agencies from district attorney to healthcare. What am I picking on? The print and then ‘fax or mail’ credit card authorization form with card security code which is never, ever supposed to be stored.
It’s possible that forms are being scanned after data is input, and sensitive data is masked, but it’s improbable for many government organizations because they simply do not have the resources.
Here’s 4 potential problems with this practice:
- The person handling the form can snap a picture with a cell phone.
- The form is received on a digital fax. Who can retrieve it? Is there a policy in place for destruction of the hard drive data, and is it actually followed? Are forms downloaded to individual hard drives, creating a whole new series of PCI Compliance concerns, and broadening the scope.
- The form may be sent to a local office instead of a lockbox. From the moment that form hits the mail, all the people that touch it are risk points.
- Stored payment data on computers. This practice continues to be widespread until there is a breach. On October 10, 2012, the U.S. Secret Service detected a security breach at the S.C. Department of Revenue, but it took state officials 10 days to close the attacker’s access and another six days to inform the public that 3.6 million Social Security numbers had been compromised. The attack also exposed 387,000 credit and debit card numbers. I’m not in the business of securing social security numbers so I can’t respond to that, but why the heck was there full card data to expose?
- Every time a human has access to card data, mail, or faxes, there is opportunity for theft.
All images shown were obtained today via publicly available information.
CREDIT CARD AUTHORIZATION FORM: Florida Health, Charlotte County.
This poorly designed form captures the security code in the middle of the page and also requires a drivers license. Card brands prohibit the last practice as being required to accept cards.
CREDIT CARD AUTHORIZATION FORM: United States District Court District of Kansas
This form captures the security code in the middle of the page and says that it will be stored, a violation of card acceptance and PCI Compliance rules. Additionally, the only way another person can be authorized to use a card is if there is a power of attorney on file, so the form may be misleading. It is possible to have multiple cards with the same number on an account, however, each card is issued to a different cardholder name.
CREDIT CARD AUTHORIZATION FORM: Arizona Department of Health
This form captures the security code in the middle of the page. If it’s stored, it’s a violation of card acceptance and PCI Compliance rules. It offers a mail option to the local government office instead of a lockbox, a riskier practice.
CREDIT CARD AUTHORIZATION FORM: City of Laredo Health Department
This form has a clear policy that the sensitive payment information will be shredded. Hurray!
I recommend adding a field for the card brand and last 4 digits, that won’t be shredded.
CREDIT CARD AUTHORIZATION FORM: Chatham County Public Health Department
This form has a clear policy that the sensitive payment information will be shredded. Hurray! I recommend adding a field for the card brand that won’t be shredded. The form appears to allow reuse for recurring billing since the amount is not specific, though it is not specifically stated as required by the card brands. Why isn’t the total amount known if this is for a one time transaction? If stored, I wonder where the card data will be stored once the form is destroyed?
RECURRING BILLING CREDIT CARD AUTHORIZATION FORM: Sample
This last form is from our technology for recurring billing authorizations. The customer can enter the payment information on a secure hosted pay page, or it can be key-entered or swiped. The custom personalized form is autuomatically generated when a new card is stored. The form is signed and both the customer and the merchant have the token ID to use for billing future charges. With the email address, the cardholder automatically gets a receipt whenever a transaction is processed.
By accepting payments online, merchants can reduce PCI Compliance burden. What did you think of this article? Please leave your comments.