Requirements for Storing Credit Card Information on Paper
To ensure that merchants are properly protecting and securing consumer credit card information while taking payments, the credit card industry publishes and enforces PCI-DSS.
Much of the focus of the standards is on the electronic treatment of personally identifiable information (PII), whether the data is in motion or at rest, but PCI-DSS also deals with non-electronic elements of data management, including both employee and contractor access, as well how to manage physically-recorded information.
Failure to meet stringent standards for storing credit card data on paper is no less serious than setting up insecure databases or payment data collection processes.
What payment information can merchants store?
Broadly speaking, merchants who execute credit card transactions can store:
- Primary Account Number (PAN)
- Cardholder Name
- Service Name
- Expiration Date
By contrast, merchants are not permitted to store:
- Full Magnetic Stripe Data
- CAV2/CVC2/CVV2/CID
- PIN/PIN Block
The media on which this information is stored—whether physical or digital—is irrelevant: PCI-DSS requires merchants to ensure that the data, even when necessary to complete a sale, is promptly and irrevocably destroyed after use.
Why would a merchant store credit card data on paper?
In the vast majority of cases, there is no good reason to store credit card data on paper at all.
In a physical retail environment, the vast majority of sales are made through electronic terminals, which scan, use, and discard credit card information; in online sales, the card is not present and details are passed electronically. That said, manual flatbed readers are still technically viable in emergencies (e.g. when power is out or when internet connectivity is unavailable), and the slips that they produce include credit card information - although, crucially, not the CVV, PIN, or full magnetic stripe data.
Additionally, a telephone operator attempting to make a sale may need to write information down when the processing system is unavailable, so that they can process the transaction at a later time.
Who should access credit card information?
Once credit card information is written down on paper, it falls under the same strict rules as it would if it were stored digitally, with the exception that it cannot, of course, be encrypted. This means that
- It must only be accessed by authorized personnel, with an audit trail maintained.
- It must be stored in a secure location (such as a locked safe.)
- It can only be transmitted via approved, secure systems - in other words, through a payments system with strong encryption, and absolutely never by way of standard communications software like email or SMS. Fax transmissions are only permitted where the machines at both ends are in verifiably secure locations.
- PAN details and CVV/CVC information should never be stored together.
- Paper receipts must be destroyed in such a way that account information cannot be identified or reconstructed.
When is credit card information stored on paper?
There are three situations in which credit card information is most frequently collected on paper:
- When using manual flatbed machines to take numbers.
- When accepting credit card information over the telephone for submission by a customer service operator.
- When accepting forms for smaller organizations (such as charities or community groups.)
When using manual flatbed machines, it is crucial to ensure that receipts are retained only as long as necessary to confirm completion of the submission, at which point the physical record should be properly destroyed.
Credit card information collected by telephone operators can be more complicated to manage, as it may be written on anything from an official form to a Post-It note by operators doing their best to close out deals. The key to avoiding PCI-DSS violations is to anticipate this situation ahead of time and to have a published and well-publicized policy in place that outlines acceptable and unacceptable activities.
For instance, operators should write these details only onto prepared forms and have a process for submitting them through correct channels; and whoever within the organization receives the forms should have a clear process for using the information, then either storing it in a secure location or properly destroying it. Operators should never retain copies of the information.
While smaller organizations may collect credit card information on physical forms (e.g. for donations to a charity, or to contribute to a social group), it is very hard to manage these appropriately, except insofar as strong policies and procedures are in place to submit the transactions, then to verifiably destroy the information. There are no circumstances under which it is recommended to collect credit card information on self-designed forms, and including the CVV/CVC on a form alongside the PAN is particularly fraught with dangers of both running afoul of PCI-DSS regulations, and high risk of data breaches.
How to avoid running afoul of rules on storing credit card info on paper
Rule number one is to avoid committing credit card information to paper in the first place! Most merchants today have access to technology allowing for secure collection and storage of authorized PAN and other data, which effectively eliminates the risk of data leaks via physical means. Even smaller organizations should have access to processing software that can run on mobile devices to execute transactions, making the use of physical forms anachronistic and unnecessary.
When paper storage of credit card information is unavoidable, merchants must follow strict rules to avoid PCI-DSS violations, including
- Publish a clear policy and set of procedures for how to record, store, and access information, as well as how to destroy it.
- Establish clear audit trails to track who has access to stored information until its destruction.
- Never store PAN and CVV/CVC together, under any circumstances.
- Only use manual flatbed machines when absolutely necessary, and have a clear set of procedures on both when to use them, and how to handle their physical output.
Where possible, merchants should build systems that allow them to collect credit card information electronically, even when they are unable to simultaneously close transactions (for instance when their payment service provider (PSP) is unavailable). One effective way to do this is by using a programmable payment vault, such as the one offered by Basis Theory, which can securely collect and store credit card information, and make it available to the merchant for transmission to their preferred payment partner.