2

I work for a company that sends out mail/telephone order goods. Some customers have orders they receive every day, with different amounts.

We have been asked a few times by various customers if we can store there card details, for processing later, citing the fact that other suppliers offer this service.

How could this be allowed? E.g. the offline storage of full card holder data, including the security code (CSC) from the rear of the card?

Under PCI, if this data is received via a non electronic format and with written consent, would this be allowed?

We want to try and accommodate customers as much as possible (especially if competitors offer this service), but we want to be fully PCI complaint. Due the entire offline nature of this case, I am having trouble finding a concrete answer, please could someone clarify?

As under PCI compliance documentation, you cannot store any of the following:

  • CAV2/CVC2/CVV2/CID

So surely this applies to offline storage as well?

I am sure that I am correct in thinking this can't be stored (even in an 100% offline manor) but I just want clarification, thanks.

crooksey
  • 141
  • 2
  • are you sure that you need the CSC to process payments? – schroeder Dec 12 '17 at 09:43
  • I assume they can process without the CSC, thats the only way I can think they are doing it. – crooksey Dec 12 '17 at 09:54
  • Check if your acquirer or processor supports 'recurring' transactions. This is designed for subscriptions or time-payment plans, but as long as the customer agrees in advance (perhaps with some specified limits) it should work for any series of charges to the same card. You only need full verification (CSC, AVS, etc) on the first txn, and you may need to store a returned token; subsequent txns only need same PAN (which you can store with good-enough encryption) and probably expiry, the token if any, and a flag saying it is recurring. – dave_thompson_085 Dec 14 '17 at 05:24

3 Answers3

1

PCI-DSS is pretty clear on this point in a few documents:

Here's one for guidance on how to process orders over the phone:

https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf

the three-digit or four-digit card verification code or value printed on the card (CVV2, CVC2, CID, or CAV2) cannot be retained after authorization

Period. It does not matter what media is used.

schroeder
  • 123,438
  • 55
  • 284
  • 319
1

You can store the credit card number but not in clear text. You should have something that encrypts it and the only thing you can show if I am not mistaken is the last 4 digits of the card.

The code that is in the back of the card you cannot store it in any situation it is valid only for verification of the transaction.

Hugo
  • 1,701
  • 11
  • 12
1

As @schroeder pointed out you can’t store some sensitive information after processing no matter the media.

I wanted to suggest a solution that might be helpful. You could use a payment gateway to tokenise the credit card number, then you just store the token, and charge against that token when a new order comes in. The gateways I’ve seen have virtual terminals where you can input all the data, or there may be a way to automate it. This has different PCI compliance implications (SAQ C perhaps). But is certainly a lot safer than storing the data yourself. It would also allow for recurring billing etc if wanted.

Richard
  • 327
  • 2
  • 13