As the world continues to grapple with the coronavirus pandemic, many merchants have experienced a fundamental shift in how they must do business. Employers are scrambling to minimize employees' physical interactions with customers and each other with the intent of limiting the spread of COVID-19.
This has become quite apparent in the restaurant industry, for instance, with many establishments being forced to adopt a take-out and/or delivery-oriented service offering. With this shift, many merchants may find themselves altering their established business practices and inadvertently bypassing the controls that were in place to protect their customers’ payment card information.
Unless prior policies and procedures were implemented to govern this type of transaction, many merchants are finding themselves in a bind.
One impromptu change relates directly to restaurants, which have been particularly hard-hit by the necessary lifestyle adjustments created by the pandemic.
Restaurant employees normally engage in a card-present transaction, in which a face-to-face interaction occurs with the customer during which the customer swipes/inserts their payment card at the point of sale. Continuing to serve customers during the COVID-19 outbreak requires them to instead engage in a card not present transaction, where there is no face-to-face interaction and the employees are required to process a payment over the phone.
This type of transaction makes it necessary to collect the customer’s relevant information from their payment card. This includes data such as first and last name, primary account number (PAN), expiry date, and the card verification code or value (CVV/CVC) which is the three- to four-digit number commonly found on the back of the payment card.
How do restaurants take payment card information over the phone in a Payment Card Industry Data Security Standard (PCI DSS) compliant manner under the new circumstances?
Fortunately, PCI DSS requirement 3.2 and 3.2.1 provide direction in this scenario. The related statements include:
Requirement 3.2: “Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.”
Requirement 3.2.1: “Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called "full track, track, track 1, track 2, and magnetic-stripe data.”
In the context of PCI DSS requirement 3.2 and 3.2.1, sensitive authentication data would include the CVV/CVC.
What that means for the merchant is once the authorization process has been completed, they need to ensure there is no physical or digital record of the CVV/CVC persisting within their environment, such as manually written orders.
This also includes call recordings. For example, if a customer leaves a voicemail with their payment card information or if the merchant uses a VOIP phone and records the calls digitally, the CVV/CVC must be removed once the authorization process is complete.
In order to remain compliant with requirements 3.2 and 3.2.1, the best practice for a merchant is to manually input the payment card information into their payment device or virtual terminal as the customer communicates it to them over the phone. If there is a business need to create hard copy records of sensitive authentication data, the merchant must ensure that the hard copies are disposed of through the use of a crosscut shredder or other method that physically renders the hard copy unrecoverable.
With no persistent physical or digital record, the merchant can be compliant with requirements 3.2 and 3.2.1 and still be able to serve their customers during these trying times.
Edison Munoz, Associate QSA
Edison Munoz is an Avertium associate QSA with our PCI Risk & Compliance practice. Edison assists with conducting PCI compliance audits, often serving in a consultative role to help our customers understand PCI DSS requirements and how they relate to their business.