Q: My agency's independent contractors (ICs) get clients' credit card numbers, card expiration dates, billing addresses and card verification codes when they make sales. I suspect that the ICs jot this information on pieces of paper and then either enter it into our GDS or a supplier's website or call it in to us or the supplier. I also suspect that the ICs keep those pieces of paper floating around their home offices. Is using pieces of paper this way legal under Payment Card Industry (PCI) rules, and if not, how can ICs get the card information?
A: Writing card information on pieces of paper is neither illegal nor in violation of PCI rules. However, maintaining or storing it as you describe violates PCI rules that probably apply to your agency and ought to apply to your ICs.
PCI rules are not laws but rather rules that are incorporated into agreements between merchants and their credit card processors or banks. If your agency is not a credit card merchant but instead relies on ARC or suppliers such as cruise lines for credit card processing, your agreements with those entities probably pass the PCI rules on to your agency.
For example, if your agency has an ARC appointment and processes transaction or service fees through ARC, the Travel Agent Service Fee Agreement states that you "shall be compliant with the Payment Card Industry Data Security Standards."
The latest version of the cited document is 139 pages long and is very difficult for nonexperts to understand. For ARC to impose this requirement on agencies is obviously unrealistic, but the rules do provide fairly clear guidance on the limited subject of keeping papers with card information.
Standard 3.2 prohibits you from storing card verification codes at all. In other words, after each charge is authorized, the paper on which the code was written must be destroyed or the code must be crossed out.
Standard 3.4 requires you to "render [the card number] unreadable anywhere it is stored. That's why credit card software shows just the last five digits of the card number. There is no exception for paper storage, so this would make reusing the paper for the next charge impossible.
Ironically, in the ARC Industry Agents' Handbook, "the recommended best practice is that agents obtain card imprints and signatures on a manual [charge form] and retain the documents securely in line with Payment Card Industry Data Security Standards in case of a chargeback ...."
So, it sounds like you should keep the paper charge forms but cross out most of the digits of the card number and do the same thing on any paper that has the number on it.
You should pass these PCI requirements on to your ICs. Allow them to write down the card data but require them either to: (a) render the card number unreadable and cross out the verification code, or (b) store the card number in an online system that masks the number and then discard the paper.
When you discard the paper, you must make sure it is "crosscut shredded, incinerated or pulped," according to PCI rules.