more-arw search

Q&A Forum

Credit Card processing and compliance

I'd welcome comments from anyone who may have had to address this scenario around PCI-DSS and HIPAA compliance:

Imagine this situation: sales staff interact with prospective customers in a public place. Prospects may decide to fill in a paper form for a trial health related service at a large discount; the form includes name, address, DOB etc as well as their credit card details.

After the event, sales staff return to home office and process the forms. This includes enterring personal data into a web based custom application as well as running the credit card through a card processor website. The paper form is retained by the sales staff and is also faxed to a company office, where it is printed.

When the prospect arrives at the office for their trial service, their paperwork is updated with a copy of their health insurance card, and all paper is now efaxed to a shared email account at the billing office. There the efax is printed and stored in a manilla folder.

My concern is that retention of credit card data on paper in various uncontrolled locations is a PCI issue and that moving the paper between offices is a HIPAA issue because of similar issues around access to patient data, including data other than credit card data.

Any one care to add to this?

Many thanks!





Sara Voight
Title: Controller
Company: Critical Signal Technologies, Inc
(Controller, Critical Signal Technologies, Inc) |

I can only speak to the PCI compliance issues. I have had situations where people show up with their CC info written on a piece of paper and leave it with a receptionist. We always took the approach that to maintain the safety of our client's CC data, we could only accept at our corporate office on an original form. The CC info was always kept in a secured area and rarely touched. It was more common to contact the client to have them complete a new form. It was frustrating for them from a convenience sense, but they did understand that this was intended to protect them. This also meant that the client's account could not be turned on until the corporate office received and input the CC info, but it saved a lot of grief from the perspective of a rogue salesperson. Our auditors really liked this as well.

Cliff Gray
Title: CTO
Company: FroogaliT
(CTO, FroogaliT) |

Len -

You're certainly running into some of the tricky aspects of PCI DSS; paper forms funneling through a business plays havoc with compliance. It's a matter of traditional and/or practical behavior versus secure procedures. As Sara implied, if you must accept paper forms with card numbers, keeping that paper safe from the bad guys is critical.

A few trends are addressing this vulnerability. Many businesses are imaging any paper forms, then destroying the paper. The digital images are easier/cheaper to secure, and has obvious advantages during subsequent access to the form. Tokenization takes this a step further, by sanitizing any sensitive data before it enters the business network confines.

In your scenario, tokenization may not be practical, but that general philosophy may help. For instance, the outside sales reps would benefit from a mobile-based enrollment form, that can be pulled up on their Android phone, iPad, etc. They love not having to deal with paper; and their new enrollments are delivered online, instantly. Similarly, new customers can be directed to a secure web site to enroll, and enter their payment credentials securely.

PCI's goal is to reduce, if not eliminate, card numbers from merchant environments. To that end, converting paper processes to digital not only eases the efforts of securing sensitive data, but typically improves the efficiency of the process itself. It doesn't solve the whole PCI question, but it's a good start.

Hope that helps!
Best ~

Len Green
Title: Performance Improvement Consultant and E..
Company: Haygarth Consulting LLC
LinkedIn Profile
(Performance Improvement Consultant and ERP Strategist, Haygarth Consulting LLC) |

Thanks for all the comments above. They triggered another thought: how do you manage the risk, e.g. regarding business insurance coverage. Do your policies cover exposure to claims from the public or from regulators if you are out of compliance?

Becky Ledermann
Title: Business Manager
Company: H M Pitt Labs, Inc.
(Business Manager, H M Pitt Labs, Inc.) |

Where can i find a PCI policy?

Brian Karr
Title: CFO
Company: In-between
(CFO, In-between) |

Get one from your gateway provider. They have standard PCI compliance documents and should provide you one as part of their solution. You can modify it as you see fit for your organizaton.


Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email [email protected] to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.