As difficult as it is to understand in this modern age of e-commerce, many credit card transactions continue to be made via fax and mail. Many orders still flow through fax or mail payment channels and, like all cardholder data, must be handled and secured by PCI DSS.
All mail orders should be received in security envelopes and routed to a single-purpose Mailbox in a PCI-compliant environment. Daily and by documented key management procedures, one of the two authorized key custodians must issue the Mailbox key and locked courier bag key from an encrypted, wall-mounted key storage box located in a secure processing room.
With the corresponding locked courier bag in hand, the depository can carry the keys and the bag to the Post Office, where they receive all orders. They place the orders in the bag, lock the bag and the mailbox, immediately unlock the bag before returning to the secure processing room, and enable it to process all contained orders. They then re-sign the keys, return them to the warehouse, and return the bag.
The processing room should have video surveillance of entry/exit points and badge access to support facility security controls, including a staffed reception desk, visitor logs, and limited access to the ID card system.
Inside the processing room, all mail orders must be background checked and opened by authorized personnel, entered into POS terminals, and immediately cross-cut into pieces.
Similarly, orders originating from fax must be received through a dedicated processing room termination extension and processed. It must be processed by authorized personnel and disposed of by cross-cut shredding.
Suppose you need to retain order data for a while to cover returns. In that case, you must identify any other applicable legal, regulatory, or business requirements within data processing, retention, and processing procedures.
Also, for storage, either a locked file cabinet located inside the secure processing room and the key should be stored in the Keystore mentioned above, or a designated third-party service provider should be used to facilitate secure storage.
In addition, any offsite environment should be recorded in management-authorized tracking logs and transported by secure couriers or any other delivery method that can be tracked. In addition, all service providers used in this process must be documented and managed by PCI DSS requirement 12.8, and all such data must be marked as “Confidential.”
How to Securely Store Payment Forms Temporarily?
While online purchases are more common than having payments mailed in a form, we know this is sometimes the easiest way to get paid. If you accept credit or debit card payments in paper form, whether for contribution or purchase, there are various things you can do to keep your procedures PCI compliant and safeguard your clients’ payments.
While PCI does not specify any process for when you receive a payment by mail, you should always consider how you can do it securely because securing payments is part of PCI compliance no matter how you receive them.
Limit Physical Access
When you receive payments, one of the ways to ensure accountability is to have payments sent to a specific location that only a limited number of people have access to, such as a Mailbox. This reduces the risk of someone getting a pile of forms with cardholder data and not knowing who might have done it. It doesn’t mean you should limit access to just one person, but you probably don’t need to allow access to many.
You should not retain cardholder data unless you need it, but sometimes you may need to keep it for a short time to complete payments or ensure it is safely destroyed.
Lock Unopened Payment Forms
Maybe only one person can access your mailbox, but make sure someone else is paying for it. Or you can only process payments once a week. It would be best for PCI to make sure that all paper forms containing cardholder data are stored securely at other times. Store forms in a locked filing cabinet, safe, or similar unit that cannot be opened or removed until processing payments.
Protect Opened Payment Forms
After opening the payment forms, you need to make sure you understand what to do next.
If you need to keep payment forms as part of your records, be sure to remove or rearrange card payment information:
- Can payment information be written at the bottom of the form so that part of the page can be removed and destroyed safely?
- Can you obfuscate the payment information (keeping only the first 6 / last four digits of the cardholder data) and then scan the form?
You need to make sure that payment forms are securely destroyed. This usually means that you should shred the papers immediately or put them in a securely placed, locked document shredder bin. Your job will be much easier if you don’t need to store forms after they’ve been opened and processed.
If you’re shredding forms, be sure to have a cross-cut shredder whose parts make the card number too small to be reconstructed.
If forms go to a disposal bin, consider whether the third party collecting them is PCI compliant to ensure they are disposed of safely. If they are not compatible, you need to check how they ensure that the forms are destroyed so that no one can regenerate the cardholder data.
And if you need to store them before performing any of these steps, make sure they are stored securely, just as they were stored before they were processed. Keep them in a locked place and make certain only people who need access can access them. If you can, log access.
Train Staff on Security and Compliance
The greatest thing you can do to help protect cardholder data is to let people who work with it know how to protect that data. Staff awareness is vital to ensure your information is kept secure. Having a good security culture and a good knowledge of basic security practices will help everyone, not just your customers.
The more your employees know about credit card security, the more likely they will be aware of the risks. Then you and your employees can do more to reduce these risks.