From the blog A Common Mistake when Collecting and Storing Credit Card Information Could Kick You Out of PCI Compliance and Cost Your Business
There is a lot of confusing rules around PCI Compliance and it can be difficult to decipher what is and isn’t allowed-especially as it relates to storing data. This can be especially tricky for businesses with reoccurring charges. And, if your business is not compliant when it comes to PCI DSS, it could cost you in non-compliance fees. It’s important to understand what is and isn’t considered PCI compliant.
Collecting credit card information through email or web forms that forward the information to general office tools such as Outlook, Office 365 or other, are not considered PCI DSS compliant. While there may be adequate firewalls in place, these environments do not encrypt cardholder data and therefore are non-compliant. In fact, MicroSoft states that “The PCI standard is not applicable to Office 365 or Microsoft Dynamics CRM Online, because credit card processing and data storage is not a function offered by Office 365 or Microsoft Dynamics CRM Online.” [https://products.office.com/en-us/legal/docid31]
If you are collecting information that way, don’t worry, there are alternatives that a business can consider to receive credit card information from their customers while remaining PCI DSS compliant. The following are a few examples.
- Manually gather information. Remove credit card information from email or form. Have customer provide phone contact information. Gather information over the phone and enter into secure hosted PCI compliant system and/or write on paper and place in secure location, then enter into PCI compliant hosted system. Alternatively, the customer can provide the information via fax.
Yes, this sounds archaic. And yes, it does add a step or two. However, your company will remain in compliance if the credit card information is stored safely in a secure location (ie: locked file cabinet in office with a lock) and will avoid unwanted PCI non-compliance fees.
- Use a Quick Hosted Shopping Cart (a.k.a. simple check out or PayNow). Many virtual terminals/gateways provide the ability to set up a quick link to a hosted payment page. Typically, these are fairly simple in function and allow the customer to input their basic card information and amounts to submit payment. A link is provided from the businesses web-site to a hosted payment page. The hosted page is in a PCI DSS compliant environment allowing the customer to input their card information with proper security and encryption in place.
Typically, these hosted pages will allow the business logo at the top so the customer understands it is related to the business. Depending on the solution used, the business can capture additional information related to the customer to help ensure reporting provides the information needed to post transactions to the accounts. Most simple check out pages require a transaction be run to capture customer profile information. However, once captured, the customer profile information can be reused to run future transactions.
- Create a “Custom Shopping Cart”. Some businesses have unique requirements requiring capture of additional information beyond the basic information supported in some quick hosted shopping carts. A business can create a custom web-form (e.g., using Gravity Forms or similar tools) to capture customer information needed; or create a full shopping cart (custom or market-ready).
With this approach, the payment portion of the information related to running a transaction and/or capturing a customer profile connects to a secure hosted PCI DSS compliant gateway through APIs. This allows the business to further customize their shopping cart or form for their needs, but separate the sensitive data as needed for use in a transaction. This approach is often used when there are specific data capture needs (e.g., medical practice) that go beyond what can be supported by a simple hosted page; or, when further integration to core operating software of the business (such as core accounting, receivables) is wanted.
When a business chooses either shopping cart approach, customers are prompted for payment information through a link to the payment solution via email or invoice.
All of these options are relatively inexpensive for the business, especially when compared to PCI Non-compliance charges or fraud expenses. Generally, it can cost from $50 to $150 for a one-time to set up fee with ongoing cost between $15 -$35 month and $0.10 transaction depending on functionality needed.
If you are unsure of your next steps, feel free to contact us and we can answer any questions related to these topics.