How secure is the credit card data you collect?

In the home repair industry, including alarm systems, air conditioning repair, garage door repairs etc, credit card acceptance has increased dramatically. But how secure is the data collected?

The most common scenario is for the work order to be written up, and the credit card information to then be added to the work order. Sometimes the work order is a carbonless form. The credit card information is then on the customer copy and the merchant copy.

The repairman puts the form in the truck and goes to the next stop. Is the truck locked at ALL TIMES? Or does the driver keep all forms with him in a notebook on each call? If taking on each call, how secure is the information while in the home or business during the repair? Are all forms returned to the home office daily? If not, where are the forms kept until the originals are returned?

The second part of this common scenario is where the data resides- on the work order form. Where are the work orders filed? Who has access?

Creating a policy for Storage of Credit Card Details both on and off your premises is an essential element of PCI Compliance. Your company should have a clear written policy and all employees with access to sensitive information should have the written policy and have had training.

Recommendations:
1. Physical cardholder details must be locked in a secure area, and limited to only those individuals that require access to that data. In addition, access should be restricted to data on a “need to know” basis. If sales orders are kept in an open filing area, then the credit card data collected should not be on the same form.
2. The credit card number should be redacted to include no more than the last four digits. In addition, any Sensitive Cardholder Data should be masked. CVV and PIN data may not be stored.
3. Stored credit card information is to be retained according to data retention policy and only so long as there is a business, legal and/or regulatory purpose.
4. Procedures to follow for masking credit card information when no longer required:
* Blackout credit card number, except last four digits if needed, and any Sensitive Cardholder Data and then photocopy document.
* Cross-cut shred the original immediately.
* Retain, if necessary, copy of document with unreadable credit card information.
* If document design will allow, credit card information should be detached from the form. Immediately cross-cut shred detached credit card information and retain remaining portion.