We’re getting ready to send our renewals out. Since I’m in the midst of PCI-compliance-land at the moment (now and forever), a question just arose about whether it’s still copacetic to ask patrons who wish to renew by mail to include their credit card information on the form. My assumption is that whether they choose to send that information by mail is up to them (as they are also able to renew over the phone or online) and that what happens to that form before it reaches our hands isn’t our responsibility, even though we asked for the information.
Once we receive the forms and have processed them, we take great care to obliterate the credit card information from the forms (Sharpie markers are our friends), and the forms themselves, which are retained, are kept under lock and key.
Requiring payment card information for mail-order is still OK, isn’t it?
Jeanne
You'll probably want to confirm this with your QSA if you have one, but what I've heard is that until the information is stored digitally, it's outside of PCI-DSS scope. So as long as they are sent on paper, not email or an unsecured web page, you're OK.
I know of PCI compliant organisations that still do this. The only other thing to remember is when you digitise the content, do not store the CVC code - this must only be used when taking a payment. (I don't know how that works for recurring payments).
I don't know about cc#'s in transit but I do believe that cc#'s, once they are 'inside' the organization as it were, are absolutely subject to PCI - digital or print.
See Req. 9.6 - "Restrict Physical Access to Cardholder Data"Specifically, this document states: https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf
"9.6 Physically secure all media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk."
As such - media like this would fall under the same security and / or appropriate destruction policies of other forms of digital media.
Isn't PCI fun!?
Nathan beat me to it. PCI is all about the PAN (the 16 digit cc #) and it doesn't distinguish whether it's stored digitally or on a piece of paper. From my recollection and reading of the requirements I believe it would be ok to have it mailed to you on subscription forms, but as soon as you have entered that information for processing you would need to render it unreadable. And you would certainly want to take steps to enter it as soon as possible as well as never have those forms in a place where unauthorized people could access them (i.e. have them sent to a secure mailbox then taken directly for processing).
Of course I'm not an expert so best to talk to your finance folks, adviser, lawyers, etc...
At the National Ballet of Canada, we have re-written all the policies that involve the handling of mail to ensure that no mail that could potentially have credit card information is left sitting around in a public place. We have also redesigned our forms in order to have the space for entering credit card information at the bottom. Once the transactions are processed, the credit card portion of the forms are tear and shredded.
Fernando Margueirat Business Analyst The National Ballet of Canada 470 Queens Quay West Toronto, Ontario M5V 3K4 P: 416 345 9686 x453 F: 416 345 8323
From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Nathan Campbell Sent: March-09-12 2:25 PM To: Fernando Margueirat Subject: Re: [Tessitura Technical Forum] Credit Cards on Subscription Renewal forms
See Req. 9.6 - "Restrict Physical Access to Cardholder Data" Specifically, this document states: https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf
From: Ian Ferguson <bounce-ianferguson8086@tessituranetwork.com> Sent: 3/9/2012 9:51:25 AM
This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!