Credit Cards on Subscription Renewal forms

You might also want to search the Merchant Information areas of the provider websites, such as Visa. In the past I have found really helpful information there regarding requirements and best practices for handling mail and phone orders (such as whether you should ask for the CVV number).

Alan
The Kennedy Center



On Mar 9, 2012, at 2:40 PM, "Fernando Margueirat" > wrote:

At the National Ballet of Canada, we have re-written all the policies that involve the handling of mail to ensure that no mail that could potentially have credit card information is left sitting around in a public place. We have also redesigned our forms in order to have the space for entering credit card information at the bottom. Once the transactions are processed, the credit card portion of the forms are tear and shredded.


Fernando Margueirat
Business Analyst
The National Ballet of Canada
470 Queens Quay West
Toronto, Ontario
M5V 3K4
P: 416 345 9686 x453
F: 416 345 8323



From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Nathan Campbell
Sent: March-09-12 2:25 PM
To: Fernando Margueirat
Subject: Re: [Tessitura Technical Forum] Credit Cards on Subscription Renewal forms


I don't know about cc#'s in transit but I do believe that cc#'s, once they are 'inside' the organization as it were, are absolutely subject to PCI - digital or print.

See Req. 9.6 - "Restrict Physical Access to Cardholder Data"

Specifically, this document states: https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf

"9.6 Physically secure all media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk."

As such - media like this would fall under the same security and / or appropriate destruction policies of other forms of digital media.

Isn't PCI fun!?
From: Ian Ferguson >
Sent: 3/9/2012 9:51:25 AM

You'll probably want to confirm this with your QSA if you have one, but what I've heard is that until the information is stored digitally, it's outside of PCI-DSS scope. So as long as they are sent on paper, not email or an unsecured web page, you're OK.

I know of PCI compliant organisations that still do this. The only other thing to remember is when you digitise the content, do not store the CVC code - this must only be used when taking a payment. (I don't know how that works for recurring payments).



This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!



This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!

________________________________

This e-mail message is intended only for the recipient(s) named above. This message may contain trade secrets, attorney-client communication, or other privileged and confidential information. Any review, re-transmission, dissemination, reproduction or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the Sender and delete the material from any computer.

You might also want to search the Merchant Information areas of the provider websites, such as Visa. In the past I have found really helpful information there regarding requirements and best practices for handling mail and phone orders (such as whether you should ask for the CVV number).

Alan
The Kennedy Center



On Mar 9, 2012, at 2:40 PM, "Fernando Margueirat" > wrote:

At the National Ballet of Canada, we have re-written all the policies that involve the handling of mail to ensure that no mail that could potentially have credit card information is left sitting around in a public place. We have also redesigned our forms in order to have the space for entering credit card information at the bottom. Once the transactions are processed, the credit card portion of the forms are tear and shredded.


Fernando Margueirat
Business Analyst
The National Ballet of Canada
470 Queens Quay West
Toronto, Ontario
M5V 3K4
P: 416 345 9686 x453
F: 416 345 8323



From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Nathan Campbell
Sent: March-09-12 2:25 PM
To: Fernando Margueirat
Subject: Re: [Tessitura Technical Forum] Credit Cards on Subscription Renewal forms


I don't know about cc#'s in transit but I do believe that cc#'s, once they are 'inside' the organization as it were, are absolutely subject to PCI - digital or print.

See Req. 9.6 - "Restrict Physical Access to Cardholder Data"

Specifically, this document states: https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf

"9.6 Physically secure all media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk."

As such - media like this would fall under the same security and / or appropriate destruction policies of other forms of digital media.

Isn't PCI fun!?
From: Ian Ferguson >
Sent: 3/9/2012 9:51:25 AM

You'll probably want to confirm this with your QSA if you have one, but what I've heard is that until the information is stored digitally, it's outside of PCI-DSS scope. So as long as they are sent on paper, not email or an unsecured web page, you're OK.

I know of PCI compliant organisations that still do this. The only other thing to remember is when you digitise the content, do not store the CVC code - this must only be used when taking a payment. (I don't know how that works for recurring payments).



This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!



This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!

________________________________

This e-mail message is intended only for the recipient(s) named above. This message may contain trade secrets, attorney-client communication, or other privileged and confidential information. Any review, re-transmission, dissemination, reproduction or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the Sender and delete the material from any computer.