PCI Conundrum Of The Week: When Plastic Meets Paper
Written by Evan SchumanPCI rules have always—and wisely—discouraged using payment card numbers for anything other than processing payments. But sometimes those rules run contrary to long-established paper practices, procedures that pre-dated PCI’s creation. A good example of this conundrum involves a federal agency, tax-exempt status forms, and the procedure of copying a government-issued payment card (this one happened to be Visa branded) and placing a copy in the file cabinet.
This situation involves the U.S. government’s General Services Administration (GSA) and some GSA interactions enjoyed by Benjamin Moore & Co. (the paint people). The conflict cropped up when the chain was dealing with some military accounts in Hawaii. The issue comes down to needing that payment card copy in the files (tax-exempt rules) but being unable to save the copy of a Visa payment card (PCI rules).
One store manager wrote in a memo: “Our accounting department has checked around with various tax agencies to determine what would be acceptable proof for tax exemptions. The ‘federal government’ and ‘state tax authorities’ have recommended making a photocopy of the government Purchasing Card and storing them in case they were needed for an audit. Does this make any sense? I am recommending that we don’t store photocopies, but the accounting department is saying that if the federal government is recommending this procedure, that is what we must do.”
Lovely. A conflict between the GSA—which is where bureaucrats are sent when they become too grumpy to work for the IRS—and PCI, two entities that are well known for their flexibility and willingness to listen to the reasons why their rules can’t be obeyed.
“This is definitely a PCI compliance issue. I’m surprised that state and local taxation authorities would recommend making a copy of a GSA PCard (branded by Visa) and storing that hard copy to validate tax exemption status,” said one Benjamin Moore IT manager, who asked that his name not be used. “We have a policy not to copy or store physical credit card numbers, although this happens frequently within stores against policy, such as when a contractor gives his credit card number to charge his monthly balance. I guess the state tax authorities assume that the copies would omit the sensitive information. That is what our policy will be to the stores. We’ll be having more discussions on how we will instruct the stores to handle these situations. I was hoping we had something in writing from one of the states that explicitly said to copy the cards and keep them on file.”
There is no clear answer to this conundrum, except to indeed save the cards but black out the offending data. Such an approach is hardly ideal, however, because there are no good standards for blacking out. Is a black magic marker acceptable? How much scribbling is needed? It would seem that when plastic meets paper, ROC wins. Translation: Keep the QSAs happy and make sure nothing is readable.
But what if GSA insists that the tax exempt proof must show the payment card number? After all, with the numbers fully blacked out, it’s no longer much proof of anything.
-Marc
February 10th, 2010 at 9:58 pm
There are situations where existing laws are in conflict with PCI requirements. This is most often encountered in the area of background checks (Requirement 12.7) which can conflict with privacy legislation in some countries. Whenever there is such a conflict, sovereign law trumps PCI. That would seem to describe the situation here.
There is nothing in PCI prohibiting the paint company from keeping the PAN, either on paper or electronically. They just have to protect it per PCI. (And ‘blacking out’ doesn’t cut it for removing from scope; it never did. You could black out the original, scan or Xerox it, then keep the copy and securely shred the original, but that’s a long way around the block.)
My first option, though, would be to see if the acquirer provide you the PAN if/when you need it. They should be able to locate any transaction based on date, amount, auth code, and last 4 digits of the card. If they can’t, consider getting a new acquirer.
If the GSA or state tax folks still want the merchant to keep the PAN as proof, so be it. Just protect the paper (securely locked away, severely limited access, etc.). As long as they don’t go storing security codes or other sensitive data (like copying the back of the card!), the merchant should be OK.
Personally, I’d see if the tax people would accept the first 6 digits (identifying via the BIN that it’s a GSA Pcard) along with date and transaction amount. If not, follow the law, protect the paper per PCI, and they should be fine.
Is it an unholy pain for the merchant? Maybe, but let’s make sure to blame it on the local tax authority and not PCI which has adequate provisions for addressing it.
February 11th, 2010 at 1:28 pm
Is there any guidance on paper redaction? I’ve received verbal guidance that heavy marker redaction is sufficient for the Card Verification Value, but that hole-punching the CVV out of the copy is prefereable. Beyond that, you have to use good practices to store paper:
•NEVER store the CVV2/CVC2 past initial authorization in ANY form – redact with a heavy marker or punch out the number from the image.
•Evaluate business processes and determine a realistic retention policy and cycle for paper documents containing cardholder data.
•Secure paper records containing cardholder data under lock and key
•Restrict access to such records to individuals with a valid business need to know
•Log access to these records, i.e. a sign-out process for the key to the lock box or filing cabinet.
•Securely destroy paper cardholder data records in compliance with your policies as soon as they are no longer required.
Does anynone else have any other best practices for paper? I’d love to hear them!
February 11th, 2010 at 4:11 pm
In our industry we have this issue of customer’s providing us their card information to keep for future use. So thanks for the tips.
February 12th, 2010 at 12:01 pm
@Dave, I have never seen formal guidance on using a marker to ‘black out’ a PAN or other data. But I have used my eyes, and if you turn the paper just so in the light you can read quite easily the blacked-out information. Therefore, simply blacking-out or scratching-out won’t protect the data. I spend a lot of time with people on form design – put the card info on the bottom of the form; after auth cut it off and securely shred. Then keep the top part with the customer info you want/need. Otherwise I guess I’d go with your hole-punch (hey, scissors beats paper, right?) idea. Now, about those hole punch chads…
February 12th, 2010 at 4:34 pm
RE: blacking out – not only can it sometimes be read, but many copier/fax machines will pick it right up. I’ve found an ultrafine black Sharpie ‘squiggled’ vs straight line works well in most case. For hole punches, look for ‘long arm’ hole punch (one source is a craft store) so you can get to the number even if it is in the middle of the page.