I'm working on a PCI DSS project for a good client of mine that's in the concessions and food service business. I was pleased to find that this company does not have any paper forms that ask a customer to fill in their CVV code, a practice that's against card brand rules and not compliant with PCI DSS. I see organizations breaking this rule much more often than you would think.
I poked around a bit to see if I could find any signs of this practice at a few other companies in similar types of businesses. It only took a few minutes to find the order forms I was looking for. I found more than I wanted to.
- One of the forms I reviewed asks the customer to fill in the "Three Digit Security Code Located on Back of Card:" Bad.
- This same form asks the customer to "Please complete this form and return to email_address_here...". This is also bad.
I reviewed another form from another venue and found even more interesting results:
- The form asks the customer to provide "CREDIT CARD ID: (3 or 4 digit ID on front or back of card)". Bad.
- They go one step further and actually REQUIRE that "a front & back copy of the [credit] card is required for processing. This includes all clients that have made payment in full in advance with a company check." This is beyond bad.
Wow, now this is way out there when it comes to compliance. Not only are they storing the customers CVV code by asking them to print it on their order form, but they require a photocopy of both sides of the credit card and store this. Yea, this photocopy also includes the CVV code. The code they are not supposed to be storing. And to just make sure they go way outside of their card processing agreement, they gather and store the Name, Account number, Expiration date, and the CVV code even for customers who do not pay with a credit card.
These types of infractions beg the question, "What else are they doing wrong?"
Please review all of your paper order forms and confirm the following:
1. The form does not ask the customer for their CVV code.
2. The form does not request that a customer include a copy of their card.
3. The form does not imply that the completed form can be submitted by email. Do not include an email address anywhere on the form.
If you have been doing #1 or #2, you should track down all of those forms and destroy them in an appropriate manner.
If you have been doing #3, you should track down any inbound order forms that were emailed to you. These messages should be appropriately deleted and purged from all systems and media in which they are found.