PCI Conundrum Of The Week: When Plastic Meets Paper
Written by Evan SchumanFebruary 10th, 2010
PCI rules have always—and wisely—discouraged using payment card numbers for anything other than processing payments. But sometimes those rules run contrary to long-established paper practices, procedures that pre-dated PCI's creation. A good example of this conundrum involves a federal agency, tax-exempt status forms, and the procedure of copying a government-issued payment card (this one happened to be Visa branded) and placing a copy in the file cabinet.
This situation involves the U.S. government's General Services Administration (GSA) and some GSA interactions enjoyed by Benjamin Moore & Co. (the paint people). The conflict cropped up when the chain was dealing with some military accounts in Hawaii. The issue comes down to needing that payment card copy in the files (tax-exempt rules) but being unable to save the copy of a Visa payment card (PCI rules).
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
5 Comments | Read PCI Conundrum Of The Week: When Plastic Meets Paper
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Christine
February 10th, 2010 at 9:58 pm
There are situations where existing laws are in conflict with PCI requirements. This is most often encountered in the area of background checks (Requirement 12.7) which can conflict with privacy legislation in some countries. Whenever there is such a conflict, sovereign law trumps PCI. That would seem to describe the situation here.
There is nothing in PCI prohibiting the paint company from keeping the PAN, either on paper or electronically. They just have to protect it per PCI. (And ‘blacking out’ doesn’t cut it for removing from scope; it never did. You could black out the original, scan or Xerox it, then keep the copy and securely shred the original, but that’s a long way around the block.)
My first option, though, would be to see if the acquirer provide you the PAN if/when you need it. They should be able to locate any transaction based on date, amount, auth code, and last 4 digits of the card. If they can’t, consider getting a new acquirer.
If the GSA or state tax folks still want the merchant to keep the PAN as proof, so be it. Just protect the paper (securely locked away, severely limited access, etc.). As long as they don’t go storing security codes or other sensitive data (like copying the back of the card!), the merchant should be OK.
Personally, I’d see if the tax people would accept the first 6 digits (identifying via the BIN that it’s a GSA Pcard) along with date and transaction amount. If not, follow the law, protect the paper per PCI, and they should be fine.
Is it an unholy pain for the merchant? Maybe, but let’s make sure to blame it on the local tax authority and not PCI which has adequate provisions for addressing it.
February 11th, 2010 at 1:28 pm
Is there any guidance on paper redaction? I’ve received verbal guidance that heavy marker redaction is sufficient for the Card Verification Value, but that hole-punching the CVV out of the copy is prefereable. Beyond that, you have to use good practices to store paper:
•NEVER store the CVV2/CVC2 past initial authorization in ANY form – redact with a heavy marker or punch out the number from the image.
•Evaluate business processes and determine a realistic retention policy and cycle for paper documents containing cardholder data.
•Secure paper records containing cardholder data under lock and key
•Restrict access to such records to individuals with a valid business need to know
•Log access to these records, i.e. a sign-out process for the key to the lock box or filing cabinet.
•Securely destroy paper cardholder data records in compliance with your policies as soon as they are no longer required.
Does anynone else have any other best practices for paper? I’d love to hear them!
February 11th, 2010 at 4:11 pm
In our industry we have this issue of customer’s providing us their card information to keep for future use. So thanks for the tips.
February 12th, 2010 at 12:01 pm
@Dave, I have never seen formal guidance on using a marker to ‘black out’ a PAN or other data. But I have used my eyes, and if you turn the paper just so in the light you can read quite easily the blacked-out information. Therefore, simply blacking-out or scratching-out won’t protect the data. I spend a lot of time with people on form design – put the card info on the bottom of the form; after auth cut it off and securely shred. Then keep the top part with the customer info you want/need. Otherwise I guess I’d go with your hole-punch (hey, scissors beats paper, right?) idea. Now, about those hole punch chads…
February 12th, 2010 at 4:34 pm
RE: blacking out – not only can it sometimes be read, but many copier/fax machines will pick it right up. I’ve found an ultrafine black Sharpie ‘squiggled’ vs straight line works well in most case. For hole punches, look for ‘long arm’ hole punch (one source is a craft store) so you can get to the number even if it is in the middle of the page.