No, not if the goal is to defend against future disputes. Merchants can never store the security code on paper or electronically. It’s a violation of the both merchant card acceptance and PCI Compliance* rules. The penalties can be especially stiff, even reaching over one million dollars in fines and jail time, for merchants in industries covered by special identity theft rules. For example, automotive dealers and health care providers also collect sensitive personal data, increasing regulatory obligations for protecting consumers from identity theft.
First Data, a leading credit card processor, has this language in their PCI Rapid Comply 2013 questionairre: “Do you make sure that you NEVER, EVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization (even if encrypted)?”
If it’s never OK, how can card not present merchants protect against fraud and disputes?
- Increase capabilities to accept card present transactions. For example, a local business might add mobile card readers for delivery personnel to swipe credit cards.
- Require remote buyers to print the sales receipt, sign and send back. A signed sales receipt containing the authorization code and correct authorization language enhances the trail of evidence.
- Same as above, except for commercial accounts, require the cardholder forward the email receipt with their electronic signature from a company email address.
- Require cardholders to specifically approve any 3rd party delivery address or personnel. Maintain all email communication records related to the sales process.
- Switch to self-serve payments such as an online pay page or electronic bill presentment and payment, both of which create opportunities for trails of electronic evidence. Use a third party provider to reduce PCI Compliance burden.
- Use a third party service to electronically store sensitive payment information in a ‘vault’ for recurring customers. Ensure that no one can access the full card or ACH information.
- Have a set of policies that can be remotely managed, monitored and enforced. This is critical in a multi location environment.
* PCI Compliance: short for Payment Card Industry Data Security Standards, or PCI DSS. All merchants are subject to PCI Compliance and the requirements vary by a number of factors including how payments are accepted and business size.
About the author: Christine specializes in providing innovative card not present payment processing solutions for manufacturers, wholesale distributors and new car dealers to improve PCI Compliance and streamline the payment experience for both merchants and customers. It’s fast, easy to use, and requires no capital investment to implement. For CenPOS sales call Christine at 954-942-0483 or click here for more information.