PCI Requirements for Storing Credit Card Information on Paper - PCI DSS GUIDE (2024)

Table of Contents show

While you may have a business reason to store credit card information, PCI DSS requirements expressly prohibit storing a card’s security code or any “track data” contained in a magnetic stripe on the back of a credit card.

CVV2, CID, and CSC are abbreviations for the three-digit number on the back of MasterCard, Visa, Discover, American Express cards, and the four-digit number on the front of American Express cards. It is designed to let merchants know if a customer authorizing a transaction over the phone or the Internet has the card.

Only if the security code is not saved with the card number will this method work. This is made simple by electronic storage. To store credit card information on paper, you must cross it out with a dark pen to make the security code unreadable after completing the transaction and before storing a paper authorization form.

See Also: Ensuring Physical Security: PCI DSS Requirement 9

Track data stored in the magnetic stripe on the back of the card also includes account-related information not displayed on the card. This information aids in the authorization of transactions and ensures that credit cards cannot be easily forged. This tracking data can be made apparent using card readers, and software can be created to store it without your knowledge.

You should not save security codes or track data deliberately. However, you should make sure you don’t mistakenly hide it as well.

See Also: What Should a PCI Compliant Credit Card Authorization Form Look Like

However, there may be situations where you may need to retain credit card numbers, such as postal payments or written authorizations for recurring payment authorizations.

Believe it or not, some vendors store credit card information on paper. Such a storage system can range from scribbling card numbers on sticky notes to keeping detailed records in organized files. Regardless, writing credit card information on paper is one of the riskiest and most insecure methods of storing credit card information. It also does not comply with PCI compliance standards.

See Also: PCI Requirements For Storing Credit Card Information

The number one risk associated with storing sensitive data on paper is theft. Employees and bad actors alike steal paper records. Even if traders keep their data in a locked filing cabinet, there is always a theft risk.

If you’re still storing paper documents that contain credit card numbers, make sure they’re always locked in a secure place like a safe or file drawer when not in use. One of the biggest mistakes you or your workers may make is manually recording credit card numbers on paper and storing them insecurely. Credit card information is private and should only be used during the transaction.

Electronic storage of credit card numbers is standard, for example, when you handle recurring or recurring transactions. If you do, you need to make sure that you never store these files unencrypted.

You must ensure that any electronic storage is encrypted using a robust encryption algorithm. That way, you have some protection for credit card numbers if your computer is stolen or someone in your office gains unauthorized access.

What Are the Consequences of Storing Credit Card Data on Paper?

When you run a business, you have access to some of your clients’ most private and sensitive information, including their credit cards. While storing credit card information is not unlawful, you should take the required security precautions.

Let’s say you’re careless with your client’s credit card information, duplicating it and not storing it securely. If you insist on having credit card copies at your office, you should be aware that you are exposing yourself up to a slew of issues as a business owner. Credit card issuers will levy fees and penalties in this situation. They might even choose to end the relationship with you.

If a customer’s credit card information is stolen from an unsecured office, that customer has the right to sue you. Then you’ll have to deal with costly legal fees, provisions, or compromises.

If you’re worried about legal issues that could arise if a customer’s credit card information is breached because they are copies of data stored in your office, you should probably opt out of this practice.

PCI DSS states that you should not withhold the account number and expiration date unless you have an essential business need. Keeping this information or retaining it for longer than necessary makes it vulnerable to fraud or identity theft.

Dos and Don’ts When Storing Credit Card Information

There are a few critical do’s and don’ts to make sure you’re compliant with PCI standards. Following this essential checklist of dos and don’ts will help you get closer to PCI compliance:

  • NEVER physically write down any credit card information unless you explicitly do so as part of your business processes.
  • NEVER obtain or disclose any cardholder’s credit card information without the cardholder’s consent, including but not limited to:
    • Partial sixteen (16) digit card number
    • CVV/CVC (three or four-digit verification code on back of card)
    • PIN (personal identification number)
  • NEVER transmit or accept cardholder information via email, fax, scan, or end-user messaging technologies.
  • Never save important authentication data on a computer, server, or piece of paper, such as:
    • The card’s storage chip or magnetic stripe
    • CVV/CVC (three or four-digit verification code on back of card)
  • NEVER use a press to process credit card payments unless it is part of your business processes or is required.
  • NEVER leave unset stacks on terminals at the end of a working day. You can set automatic shutdown programming or have batches turn off manually each night.
  • NEVER share passwords and use them on any computer you access.
  • NEVER leave sensitive information unattended on your desk, screen, or any public area.

All records containing cardholder data must be in a secure environment, including the physical security of paper and electronic media such as computers, removable electronic media, receipts, reports, or faxes.

Secure environments include locked drawers and safes with limited access to credit card processors only. Departments should conduct a media inventory and maintain inventory logs and audit trails of all paper and electronic media.

Any cardholder information in paper format should be kept to a minimum due to recording, writing, or storing cardholder information. The transaction should be processed as soon as possible, and the credit card number should be immediately darkened to the last four digits. In addition, all Sensitive Cardholder Data must be masked.

When keeping cardholder data on hard copy or paper, you must comply with PCI DSS requirements 9.5 to 9.8.2. These controls include the secure storage of paper documents, proper access control of paper documents, and the destruction of paper documents when they are no longer needed.

PCI DSS requirement 9.8.1 requires that you shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed. It’s great if you additionally utilize secure storage containers for any materials that need to be discarded.

Can the entire credit card number be printed on the copy of the receipt of the consumer?

PCI DSS requirement 3.3 specifies that when displayed, you must mask the PAN with the first six and last four digits being the maximum number of digits to display.

PCI DSS requirement 3.3 does not replace the more stringent requirements for displaying cardholder data. For example, the PCI DSS requirement cannot replace legal needs or payment card branding requirements for point-of-sale (POS) receipts.

All paper receipts stored by merchants must comply with PCI DSS requirement nine regarding physical security.

How Does Receiving Credit Cards in the Mail Work with PCI?

Receiving sensitive payment information by mail or fax, as with obtaining credit cards over the phone, may raise concerns about your organization’s PCI compliance process. When card data is processed manually, the relevant security controls are procedural and physical, and the technology systems are used.

See Also: PCI Compliance Recommendations for Mail and Fax Orders

Often, organizations that accept credit card information by mail or fax process other sensitive information and card data such as phone numbers, email addresses, or physical addresses.

This is why all personally identifiable information (PII) needs to be handled. Because sensitive information is essential, you need to take a holistic approach to your security process.

PCI DSS Requirement 9 covers the basics of physical controls and sensitive data your business undertakes. You should also review PCI DSS Requirement 3, which outlines the protection of stored cardholder data.

An example of best practice for an institution that receives credit cards by mail and fax is as follows:

  1. Data is collected every day and is securely transported.
  2. Movements of data are recorded until another authorized person processes them in an isolated area or at a monitored terminal.
  3. After the data is processed, it is placed safely and securely stored according to legal requirements.
  4. The data is destroyed when it is no longer needed.

As an expert in data security and compliance, my extensive experience and knowledge in the field equip me to provide valuable insights into the critical aspects of handling credit card information securely. I have actively worked with organizations to implement and adhere to Payment Card Industry Data Security Standard (PCI DSS) requirements, ensuring the protection of sensitive information and compliance with industry standards.

The article you provided highlights essential considerations for businesses handling credit card information. Let's break down the key concepts mentioned:

  1. PCI DSS Requirements:

    • PCI DSS, or Payment Card Industry Data Security Standard, is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
    • The article emphasizes the importance of complying with PCI DSS requirements, particularly regarding the storage of credit card data.
  2. Security Codes and Track Data:

    • CVV2, CID, and CSC refer to the three-digit security code on the back of MasterCard, Visa, Discover, and American Express cards. There's also a four-digit code on the front of American Express cards.
    • Storing the security code or any "track data" from the magnetic stripe is prohibited by PCI DSS, as it poses a security risk.
  3. Storage Methods:

    • Storing credit card information on paper is discouraged due to the high risk of theft. The article highlights the various insecure methods, from scribbling on sticky notes to keeping detailed records, and stresses that it does not comply with PCI compliance standards.
  4. Electronic Storage:

    • Electronic storage of credit card numbers is standard, especially for recurring transactions. However, it is crucial to encrypt any electronic storage to protect the data in case of theft or unauthorized access.
  5. Consequences of Storing Credit Card Data on Paper:

    • The article outlines potential consequences for businesses that store credit card data insecurely, including fees and penalties from credit card issuers, legal repercussions, and damage to the business relationship with customers.
  6. Dos and Don'ts:

    • The article provides a checklist of dos and don'ts to ensure compliance with PCI standards, covering aspects such as never physically writing down credit card information, avoiding the transmission of sensitive data via insecure methods, and implementing secure storage practices.
  7. Physical Security and Destruction of Data:

    • PCI DSS requirements 9.5 to 9.8.2 cover secure storage of paper documents, access control, and the proper destruction of paper documents when no longer needed.
  8. Printing Credit Card Numbers:

    • PCI DSS requirement 3.3 specifies that if credit card numbers are displayed, the PAN (Primary Account Number) should be masked, revealing only the first six and last four digits.
  9. Handling Credit Cards Received by Mail:

    • The article addresses the importance of securely processing credit card information received by mail or fax, highlighting the need for physical controls and adherence to PCI DSS Requirement 3.
  10. Best Practices:

    • An example of best practices for institutions receiving credit cards by mail and fax is provided, emphasizing secure data collection, transportation, processing, storage, and destruction when no longer needed.

In conclusion, the article underscores the critical importance of secure practices and compliance with PCI DSS requirements to safeguard sensitive credit card information and mitigate potential risks for businesses.

PCI Requirements for Storing Credit Card Information on Paper - PCI DSS GUIDE (2024)


Top Articles
Latest Posts
Article information

Author: Tuan Roob DDS

Last Updated:

Views: 6360

Rating: 4.1 / 5 (62 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Tuan Roob DDS

Birthday: 1999-11-20

Address: Suite 592 642 Pfannerstill Island, South Keila, LA 74970-3076

Phone: +9617721773649

Job: Marketing Producer

Hobby: Skydiving, Flag Football, Knitting, Running, Lego building, Hunting, Juggling

Introduction: My name is Tuan Roob DDS, I am a friendly, good, energetic, faithful, fantastic, gentle, enchanting person who loves writing and wants to share my knowledge and understanding with you.