While purchases online are more common than payments being mailed in on a form, we know that sometimes this is the easiest way to take payments. Whether it’s for donations or purchases; if you’re accepting credit or debit card payments using a paper form, there are a few things you can do to make your processes PCI compliant and help make sure your donees or customers’ payments are secured.
Receiving Payment Data Securely
While PCI doesn’t specifically set out any process for what to do when you receive a payment by mail, you should always consider how you can do this securely (because securing payments however you receive them is part of PCI compliance).
Understand Your Data Flows
The first thing that you should do is make sure that you have this payment flow documented, even if you aren’t required to have a cardholder data flow diagram as part of your PCI compliance. This helps make sure that if / when you need to explain how you receive payments, you have a clear understanding of any of the areas of risk.
Limit Physical Access
When you receive payments, one of the ways that you can help ensure accountability is to have the payments sent to a particular location (for example a PO Box) that only a limited number of people have access to. This reduces the risk of someone taking a pile of forms that contain cardholder data and not knowing who may have done it. This doesn’t mean that you have to limit it to only one person, but you probably also don’t need to allow a lot of people to have access.
Processing Payments Securely
Use Payment Pages or Payment Applications
Make sure that when you’re accepting payments, the information gets entered right into a PCI compliant payment page or a PA-DSS payment application. Making sure that payments are entered in a PCI compliant way means less risk for you either because you can rely on your service providers or your program is already helping you protect your payments. Keep in mind though, just because you use a payment application it doesn’t mean that you are automatically compliant!
Never store cardholder data in temporary locations, and limit the processes where you might need to do large batch processing. Putting credit or debit card information into a spreadsheet is a high potential area of risk if you accidentally upload it to the cloud or leave it stored on your laptop or PC.
Another thing you can do is to make sure that there is some oversight of payments being entered. For example, having people work in pairs or having an audit process might work for you.
(Temporarily) Storing Payments Securely
While we’ve said that you shouldn’t store cardholder data if you don’t need it, we also understand that sometimes you you may need to store it for a little while in order to complete payments or make sure it is securely destroyed.
Lock Unopened Payment Forms Away
Maybe only one person has access to your mailbox, but make sure the payments are processed by someone else. Or maybe you only process payments once per week. One thing you need to do for PCI is to make sure that any paper forms that contain cardholder data are secured at all other times. Keep them in a locked file cabinet, safe or similar unit which can’t be opened or the forms removed until the payments can be processed.
Protect Opened Payment Forms
Once you have opened the payment forms, you need to make sure you understand what to do next.
If you need to keep them as part of your records, make sure you remove or redact the card payment information. For example:
- Can the payment information be written on the bottom of the form so that part of the page can be removed and securely destroyed?
- Could you black out the payment information (keeping a maximum of the first 6 / last 4 digits only of the cardholder data) and then scan the form?
If you don’t need to keep the forms once they’ve been opened and processed, it becomes much easier. You just need to make sure they are securely destroyed. This typically means you need to immediately shred them or put them in a securely located, locked document destruction bin.
If you’re shredding the forms, make sure that it’s a cross cut shredder that makes the pieces small enough so that the card number can’t be reconstructed.
If the forms are going into a destruction bin, consider whether the third party collecting them is PCI compliant to make sure they destroy them in a secure manner. If they aren’t compliant, you will need to check how they make sure the forms are destroyed in a way that no one can reconstruct the cardholder data.
And if you need to temporarily store them before you take either of these steps, make sure they are stored securely just like you would if they were stored before processing. Keep them in a locked location and make sure that only people who need access have access. If you can, log the access.
Train Staff About Security & Compliance
The biggest thing that you can do to help protect cardholder data though is to make sure that the people who are working with it are aware of how to protect it. While this is part of your PCI requirements, staff awareness is vital to ensuring that your data is kept safe. Having both a good culture of security and a good knowledge of baseline security practices will help everyone, not just your donees or customers.
The more people know, the more likely they are to be aware of risks. And then the more you and your people can do to mitigate these risks.
- Understand your data flows, where you get cardholder data, who has access to it, and how it is processed.
- Make sure paper forms are received securely.
- Make sure that payments are processed securely through a payment gateway or validated payment application.
- Make sure that any forms are stored securely after they are processed or destroyed so that the card number can’t be reconstructed.
- Most importantly, train your staff! Also provide regular training refreshers. Your staff are your best defence against potential risks.