Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Card Not Present, CenPOS, credit card processing

Main menu

Skip to primary content
  • Home
  • Christine Speedy, Author
  • Interchange Rates
  • How much can I save?
  • Glossary: Payment Processing Terminology
  • Merchant Alerts & Rules Links
  • Merchant Security : PCI Compliance (Sticky)

Post navigation

← Previous Next →

Storage of Credit Card Details

Posted on August 19, 2008 by cspeedy

How secure is the credit card data you collect?

In the home repair industry, including alarm systems, air conditioning repair, garage door repairs etc, credit card acceptance has increased dramatically. But how secure is the data collected?

The most common scenario is for the work order to be written up, and the credit card information to then be added to the work order. Sometimes the work order is a carbonless form. The credit card information is then on the customer copy and the merchant copy.

The repairman puts the form in the truck and goes to the next stop. Is the truck locked at ALL TIMES? Or does the driver keep all forms with him in a notebook on each call? If taking on each call, how secure is the information while in the home or business during the repair? Are all forms returned to the home office daily? If not, where are the forms kept until the originals are returned?

The second part of this common scenario is where the data resides- on the work order form. Where are the work orders filed? Who has access?

Creating a policy for Storage of Credit Card Details both on and off your premises is an essential element of PCI Compliance. Your company should have a clear written policy and all employees with access to sensitive information should have the written policy and have had training.

Recommendations:
1. Physical cardholder details must be locked in a secure area, and limited to only those individuals that require access to that data. In addition, access should be restricted to data on a “need to know” basis. If sales orders are kept in an open filing area, then the credit card data collected should not be on the same form.
2. The credit card number should be redacted to include no more than the last four digits. In addition, any Sensitive Cardholder Data should be masked. CVV and PIN data may not be stored.
3. Stored credit card information is to be retained according to data retention policy and only so long as there is a business, legal and/or regulatory purpose.
4. Procedures to follow for masking credit card information when no longer required:
* Blackout credit card number, except last four digits if needed, and any Sensitive Cardholder Data and then photocopy document.
* Cross-cut shred the original immediately.
* Retain, if necessary, copy of document with unreadable credit card information.
* If document design will allow, credit card information should be detached from the form. Immediately cross-cut shred detached credit card information and retain remaining portion.

0
0

Related posts:

  1. What’s fair in the credit card processing consulting world?
This entry was posted in security and tagged credit card processing, data security, merchant account, PCI compliance by cspeedy. Bookmark the permalink.

Recent Comments

  • Christine Speedy on Magento Developer Alert: Visa Mandate and Payment Gateways
  • Christine Speedy on How do I reset Ingenico ISC 250 or 350 terminal?
  • Jeremy Scott Ayers on How do I reset Ingenico ISC 250 or 350 terminal?
  • Christine Speedy on Level 3 processing for Magento
  • Carnivoros Anonimos on Can I get a merchant account if I don’t have a social security #?
Proudly powered by WordPress