If your business accepts paper credit card authorizations, this blog post is for you!

Receiving and storing credit card authorization forms represent substantial financial risk in the event of identity theft. Since these businesses also extend credit terms, additional rules come into play that can increase fines and even result in felony charges with jail time. Few have insurance to cover the financial losses, and reputation damage can devastate revenues.

They can also lead to errors and financial discrepancies. Finally, customers distrust emailing or faxing their personal financial data to you as the merchant. This can erode your customer's confidence and lead to loss of revenue.

To eliminate this risk, businesses are encouraged to use secure methods for handling credit card information, such as encrypted online payment gateways or tokenization systems. 
These methods reduce the risk of unauthorized access, data breaches, and non-compliance with PCI DSS requirements.

Here are some do's and dont's:

• It's NOT OK to store CVV security code data; A cardholder’s CVV2 may never be stored as a part of order information or customer data subsequent to authorization on paper or digitally encrypted. To validate the card, and have signed authorization on file to protect against disputes, most forms are not PCI Compliant.
• It's NOT OK to store the full PAN (primary account number) on paper. It must be rendered unreadable anywhere it is stored according to PCI DSS Requirement 3.4.
• Businesses must have a legitimate reason to store cardholder data, and have a plan to purge on a quarterly basis. Given that secure tokenization solutions are available for virtually any stored card need imaginable, in the event of a breach, it's hard to believe a business would be able to make a case why they needed to store full card data on an internal system.
• PCI Requirement 9 restricts physical access to card data. Data must be in a separate locked environment. For example, if a media disk is in a locked room, sensitive files must be in a separate locked cabinet that does not have anything else. Merchants must maintain a physical log to track who removed what from the secured area, and who used it, if different. The inefficiency of maintaining, monitoring, and physically key entering the same card number over and over again cannot be understated.
• Do you have a log to maintain a physical audit trail of visitor information and activity in any area that payments are processed, including visitor name and company, and the onsite personnel authorizing physical access?
• Do you have a visitor badge system that expires for all visitors authorized to enter areas where cardholder data is processed or maintained?
• Are forms ever received on a fax accessible outside a locked room with strict access controls?
• Are forms ever accessible via the internet/intranet? Who has access to the servers? Backups?
• Is there any time cardholder data is accessible while waiting to be used (faxes received, in box to be processed etc) or returned to the secure environment.
• What is the monitoring schedule to ensure compliance for all items above?

Paper authorization forms are risky, inefficient, and reduce profits on a daily basis. Plus, customers don't like them.

There is an easy solution to mitigate this risk AND enhance your customer experience. If your business transacts credit cards and you are using a payment processor such as Authorize.net we recommend to set up a secure client portal. It enables you to invoice and transact in a convenient way, and interact with your processor and merchant account in real time. It also provides your customers with a state-of-the-art "My Account" website to have all information stored securely and PCI-compliant.

Contact Allinone-Software.com for more details today.