As a merchant, you have the option to determine if you will accept card transactions over the telephone. It is important that you are aware of the risks involved and the steps you can take to ensure you are following proper security of the cardholder’s information and the card presented for payment.
If you accept and/or process payment card data over the phone, use this information as a guide to follow in addition to PCI DSS1 requirements. It is vital to maintain contact with FiTech by Deluxe®, our trusted provider of merchant services equipment, so you may understand compliance validation and reporting responsibilities.
Risk mitigating technologies have significantly helped in lowering the fraud rates in face-to-face and e-commerce environments.
This has, however, resulted in a shift of card use towards the Mail Order/Telephone Order method.
The Payment Card Industry Data Security Standard (PCI DSS) specifically stipulates that the 3 or 4 digit verification code or value printed on the card (CVV2, CVC2, CID or CAV2) cannot be retained after authorization, and the full card number cannot be retained without additional security measures in place. Sensitive data on the chip or magnetic stripe must never be stored after authorization. If a merchant stores the Primary Account Number (PAN), also known as card number, it is crucial to render it unreadable2. It is important to understand the various elements that are classified as cardholder data, and especially what constitutes sensitive authentication data.
The following table gives a summary of the PCI DSS guidelines for cardholder data elements:
| Data Element | Storage Permitted | Render Stored Account Data Unreadable Per PCI DSS Requirement 3.4 |
|
|---|---|---|---|
| Cardholder Data | Primary Account Number (PAN) | Yes | Yes |
| Cardholder Name | Yes | No | |
| Service Code3 | Yes | No | |
| Expiration Date | Yes | No | |
| Sensitive Authentification Data5 |
Full Magnetic Stripe Data4 | No | Cannot store per Requirement 3.2 |
| CAV2/CVC2/CVV2/CID | No | Cannot store per Requirement 3.2 | |
| PIN / PIN Block | No | Cannot store per Requirement 3.2 |
The practice to record and store telephone conversations for card transactions may result in merchants not being compliant with PCI DSS. Some organizations may be in violation of accepting card payment information over the phone and recording full card data in an attempt to comply with various regulatory bodies. This causes the company to be in violation of PCI DSS requirements and potentially exposing cardholder data unnecessarily6.
What Can I Do To Protect Cardholder Information?
- Do not store sensitive authentication data after authorization is obtained, even if it is encrypted. This is a violation of PCI DSS requirements.
- Make every effort to not store any data element unless it is necessary to meet the needs of the business and meets PCI DSS requirements.
- Limit the amount of time7 that cardholder data is kept and ensure that a secure disposal procedure is in place8. Remember, if you don’t need it, don’t store it!
- Never allow for the card validation code (referred to as CAV2, CVC2, CVV2, or CID) to be stored in a digital, audio or video format.
- Mask the PAN/card number when displayed. (No more than the first six digits and the last four digits must be displayed at any time).
- Ensure that cardholder data transmitted across public networks is encrypted and “non-queriable”9.
- Guarantee that any information stored must be clearly labeled, inventoried and unreadable following PCI DSS requirements.
- Create an information security policy that is adhered to by all personnel and ensure all PCI DSS requirements are implemented.
As a merchant, it is your responsibility to follow these guidelines. It will aid in protecting your business as well as customer information. Customer trust is a valued attribute and one in which you play a key role in protecting. For further questions on how to protect proprietary information, please contact Fitech by Deluxe® at (844) 822-1281.
1The Payment Card Industry Data Security Standard (PCI DSS) was created by the PCI Security Standards Council, which offers comprehensive standards and supporting materials to enhance payment card data security. These standards include a framework of specifications, tools, measurements and support resources to help merchants ensure the safe handling of cardholder information at every step. The PCI DSS provides an actionable framework for developing a robust payment card data security process—including prevention, detection and appropriate reaction to security incidents. Please visit www.pcisecuritystandards.org to find useful information about the PCI DSS requirements for merchants that was created to mitigate data breaches and prevent payment cardholder data fraud. 2Mask the PAN/card number any time it is displayed. (No more than the first six digits and the last four digits must be displayed) Mask the PAN/card number any time it is printed. (No more than the last four digits can be printed.) 3The Service Code is a three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. It is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions. 4Full Magnetic Stripe Data consists of both Track 1 and Track 2 information that is placed within the magnetic stripe on the back of the card. This information consists of the PAN, Cardholder’s Name, Expiration Date, Service Code, CVV/CVC, and the PIN Verification Data. 5Sensitive Authentication Data must not be retained after authorization and for telephone operations (even if encrypted). Sensitive authentication data means the CAV2/CVC2/CVV2/CID and/or PIN values that may be taken during a telephone call. 6Note that PCI DSS does not supersede local or regional laws, government regulations, or other legislative requirements. 7In order to define appropriate retention requirements, an entity first needs to understand their own business needs as well as any legal or regulatory obligations that apply to their industry, and/or that apply to the type of data being retained. A formal data retention policy identifies what data needs to be retained, and where that data resides so it can be securely destroyed or deleted as soon as it is no longer needed. 8Check our website at jeffersonbank.com to find out when our next Community Shred and Recycle Day will be held. 9Sensitive Authentication Data can never be stored as per PCI DSS requirement and must be secured in a manner consistent with PCI DSS and must not be able to be queried. Encrypting sensitive authentication data is not sufficient to render the data “non-queriable”. For data to be considered “non-queriable,” it must not be feasible for general users of the system or malicious users that gain access to the system to retrieve or access the data through, (but not limited to), the following: defined searches based on character sets or data format, database query functions, decryption mechanisms, sniffer tools, data mining functions, data analysis tools and built-in utilities for sorting, collating, or retrieving data.
