PCI Conundrum Of The Week: When Plastic Meets Paper

Written by Evan Schuman
February 10th, 2010

PCI rules have always—and wisely—discouraged using payment card numbers for anything other than processing payments. But sometimes those rules run contrary to long-established paper practices, procedures that pre-dated PCI’s creation. A good example of this conundrum involves a federal agency, tax-exempt status forms, and the procedure of copying a government-issued payment card (this one happened to be Visa branded) and placing a copy in the file cabinet.

This situation involves the U.S. government’s General Services Administration (GSA) and some GSA interactions enjoyed by Benjamin Moore & Co. (the paint people). The conflict cropped up when the chain was dealing with some military accounts in Hawaii. The issue comes down to needing that payment card copy in the files (tax-exempt rules) but being unable to save the copy of a Visa payment card (PCI rules).

One store manager wrote in a memo: “Our accounting department has checked around with various tax agencies to determine what would be acceptable proof for tax exemptions. The ‘federal government’ and ‘state tax authorities’ have recommended making a photocopy of the government Purchasing Card and storing them in case they were needed for an audit. Does this make any sense? I am recommending that we don’t store photocopies, but the accounting department is saying that if the federal government is recommending this procedure, that is what we must do.”

Lovely. A conflict between the GSA—which is where bureaucrats are sent when they become too grumpy to work for the IRS—and PCI, two entities that are well known for their flexibility and willingness to listen to the reasons why their rules can’t be obeyed.

“This is definitely a PCI compliance issue. I’m surprised that state and local taxation authorities would recommend making a copy of a GSA PCard (branded by Visa) and storing that hard copy to validate tax exemption status,” said one Benjamin Moore IT manager, who asked that his name not be used. “We have a policy not to copy or store physical credit card numbers, although this happens frequently within stores against policy, such as when a contractor gives his credit card number to charge his monthly balance. I guess the state tax authorities assume that the copies would omit the sensitive information. That is what our policy will be to the stores. We’ll be having more discussions on how we will instruct the stores to handle these situations. I was hoping we had something in writing from one of the states that explicitly said to copy the cards and keep them on file.”

There is no clear answer to this conundrum, except to indeed save the cards but black out the offending data. Such an approach is hardly ideal, however, because there are no good standards for blacking out. Is a black magic marker acceptable? How much scribbling is needed? It would seem that when plastic meets paper, ROC wins. Translation: Keep the QSAs happy and make sure nothing is readable.

But what if GSA insists that the tax exempt proof must show the payment card number? After all, with the numbers fully blacked out, it’s no longer much proof of anything.


5 Comments | Read PCI Conundrum Of The Week: When Plastic Meets Paper

  1. Walt Conway Says:

    There are situations where existing laws are in conflict with PCI requirements. This is most often encountered in the area of background checks (Requirement 12.7) which can conflict with privacy legislation in some countries. Whenever there is such a conflict, sovereign law trumps PCI. That would seem to describe the situation here.

    There is nothing in PCI prohibiting the paint company from keeping the PAN, either on paper or electronically. They just have to protect it per PCI. (And ‘blacking out’ doesn’t cut it for removing from scope; it never did. You could black out the original, scan or Xerox it, then keep the copy and securely shred the original, but that’s a long way around the block.)

    My first option, though, would be to see if the acquirer provide you the PAN if/when you need it. They should be able to locate any transaction based on date, amount, auth code, and last 4 digits of the card. If they can’t, consider getting a new acquirer.

    If the GSA or state tax folks still want the merchant to keep the PAN as proof, so be it. Just protect the paper (securely locked away, severely limited access, etc.). As long as they don’t go storing security codes or other sensitive data (like copying the back of the card!), the merchant should be OK.

    Personally, I’d see if the tax people would accept the first 6 digits (identifying via the BIN that it’s a GSA Pcard) along with date and transaction amount. If not, follow the law, protect the paper per PCI, and they should be fine.

    Is it an unholy pain for the merchant? Maybe, but let’s make sure to blame it on the local tax authority and not PCI which has adequate provisions for addressing it.

  2. Dave CISA/M/SP Says:

    Is there any guidance on paper redaction? I’ve received verbal guidance that heavy marker redaction is sufficient for the Card Verification Value, but that hole-punching the CVV out of the copy is prefereable. Beyond that, you have to use good practices to store paper:

    •NEVER store the CVV2/CVC2 past initial authorization in ANY form – redact with a heavy marker or punch out the number from the image.

    •Evaluate business processes and determine a realistic retention policy and cycle for paper documents containing cardholder data.

    •Secure paper records containing cardholder data under lock and key

    •Restrict access to such records to individuals with a valid business need to know

    •Log access to these records, i.e. a sign-out process for the key to the lock box or filing cabinet.

    •Securely destroy paper cardholder data records in compliance with your policies as soon as they are no longer required.

    Does anynone else have any other best practices for paper? I’d love to hear them!

  3. Greg Moore Says:

    In our industry we have this issue of customer’s providing us their card information to keep for future use. So thanks for the tips.

  4. Walt Conway Says:

    @Dave, I have never seen formal guidance on using a marker to ‘black out’ a PAN or other data. But I have used my eyes, and if you turn the paper just so in the light you can read quite easily the blacked-out information. Therefore, simply blacking-out or scratching-out won’t protect the data. I spend a lot of time with people on form design – put the card info on the bottom of the form; after auth cut it off and securely shred. Then keep the top part with the customer info you want/need. Otherwise I guess I’d go with your hole-punch (hey, scissors beats paper, right?) idea. Now, about those hole punch chads…

  5. Lee Says:

    RE: blacking out – not only can it sometimes be read, but many copier/fax machines will pick it right up. I’ve found an ultrafine black Sharpie ‘squiggled’ vs straight line works well in most case. For hole punches, look for ‘long arm’ hole punch (one source is a craft store) so you can get to the number even if it is in the middle of the page.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.