Skip to main content
close search
site logo
Len Green's headshot
Len Green Performance Improvement Consultant and ERP Strategist

Credit Card processing and compliance

Asked on May 9, 2013

I'd welcome comments from anyone who may have had to address this scenario around PCI-DSS and HIPAA compliance:

Imagine this situation: sales staff interact with prospective customers in a public place. Prospects may decide to fill in a paper form for a trial health related service at a large discount; the form includes name, address, DOB etc as well as their credit card details.

After the event, sales staff return to home office and process the forms. This includes enterring personal data into a web based custom application as well as running the credit card through a card processor website. The paper form is retained by the sales staff and is also faxed to a company office, where it is printed.

When the prospect arrives at the office for their trial service, their paperwork is updated with a copy of their health insurance card, and all paper is now efaxed to a shared email account at the billing office. There the efax is printed and stored in a manilla folder.

My concern is that retention of credit card data on paper in various uncontrolled locations is a PCI issue and that moving the paper between offices is a HIPAA issue because of similar issues around access to patient data, including data other than credit card data.

Any one care to add to this?

Many thanks!

Len


 

 

Answers

Sara Voight's headshot
Sara Voight Controller • October 5, 2011

Len
I can only speak to the PCI compliance issues. I have had situations where people show up with their CC info written on a piece of paper and leave it with a receptionist. We always took the approach that to maintain the safety of our client's CC data, we could only accept at our corporate office on an original form. The CC info was always kept in a secured area and rarely touched. It was more common to contact the client to have them complete a new form. It was frustrating for them from a convenience sense, but they did understand that this was intended to protect them. This also meant that the client's account could not be turned on until the corporate office received and input the CC info, but it saved a lot of grief from the perspective of a rogue salesperson. Our auditors really liked this as well.

Cliff Gray's headshot
Cliff Gray CTO • October 5, 2011

Len -

You're certainly running into some of the tricky aspects of PCI DSS; paper forms funneling through a business plays havoc with compliance. It's a matter of traditional and/or practical behavior versus secure procedures. As Sara implied, if you must accept paper forms with card numbers, keeping that paper safe from the bad guys is critical.

A few trends are addressing this vulnerability. Many businesses are imaging any paper forms, then destroying the paper. The digital images are easier/cheaper to secure, and has obvious advantages during subsequent access to the form. Tokenization takes this a step further, by sanitizing any sensitive data before it enters the business network confines.

In your scenario, tokenization may not be practical, but that general philosophy may help. For instance, the outside sales reps would benefit from a mobile-based enrollment form, that can be pulled up on their Android phone, iPad, etc. They love not having to deal with paper; and their new enrollments are delivered online, instantly. Similarly, new customers can be directed to a secure web site to enroll, and enter their payment credentials securely.

PCI's goal is to reduce, if not eliminate, card numbers from merchant environments. To that end, converting paper processes to digital not only eases the efforts of securing sensitive data, but typically improves the efficiency of the process itself. It doesn't solve the whole PCI question, but it's a good start.

Hope that helps!
Best ~
Cliff

Len Green's headshot
Len Green Performance Improvement Consultant and ERP Strategist • October 10, 2011

Thanks for all the comments above. They triggered another thought: how do you manage the risk, e.g. regarding business insurance coverage. Do your policies cover exposure to claims from the public or from regulators if you are out of compliance?

Becky Ledermann's headshot
Becky Ledermann Business Manager • January 29, 2013

Where can i find a PCI policy?

Brian Karr's headshot
Brian Karr CFO • January 29, 2013

Get one from your gateway provider. They have standard PCI compliance documents and should provide you one as part of their solution. You can modify it as you see fit for your organizaton.

Want to join the conversation? Submit an answer or ask a question by emailing us at [email protected]

Submit an answer
Filed Under: Cash Management
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell