Industry

Storing Credit Card Data on Paper: Risks, Requirements & Best Practices

Notebook
Thumbnail
Lizzy Rosenberg
October 16, 2024


Have you ever been in a rush and had to quickly jot down a customer’s credit card info on a scrap of paper? You’re not alone, as many businesses have had to take credit card info in writing out of emergency. If your business is one of them, especially if you handle high risk merchant accounts, it's critical to understand the risks, compliance requirements, and best practices for keeping sensitive customer credit card information secure.

While it may seem harmless to jot down a 16-digit number on an order form or store paper receipts with full card numbers in a file cabinet, the consequences of improperly handling that data can be severe. Businesses that fail to follow strict rules for paper records containing credit card info can face:

  • Card numbers are vulnerable to exposure and theft, leaving sensitive cardholder information at risk
  • Data breaches exposing sensitive authentication information to criminals
  • Financial penalties of up to $100,000 per month for PCI non-compliance
  • Legal liability and lawsuits if customer credit card information is compromised
  • Catastrophic damage to your business reputation and customer trust

The Payment Card Industry Data Security Standard (PCI DSS) has stringent requirements for securing credit card info, whether it's processed electronically or on old-fashioned paper. Following PCI guidelines and implementing best practices for collecting, storing, and destroying credit card information on paper is essential for any business that handles this data. Although PCI DSS mandates rigorous testing of digital systems, the burden of PCI compliance applies equally to paper storage. Businesses using paper must ensure proper handling to avoid the consequences of legal action from data breaches.

In this article, we'll explain exactly why so many businesses still end up with credit card transactions on paper, the risks of mishandling those paper receipts, what PCI DSS requires for the storage of credit card data on paper, and the best practices your business can implement to keep card information safe. Let's dive in!

Why Do Merchants Store Credit Card Data on Paper?

In today's digital age, it's easy to assume that credit card information is always entered directly into a computer or online dating credit card processing software. However, there are several common scenarios where merchants end up needing to write down card numbers on paper:

  • Phone orders where the customer reads their 16-digit number and security code to the merchant over the phone
  • Mail orders where the customer writes their American Express or other card number on a paper authorization form and mails it in
  • In-person transactions where the merchant uses a manual imprint machine to take an impression of the magnetic stripe on carbon paper

Additionally, some businesses, such as those managing a subscription merchant account, store credit card information on paper forms for recurring billing purposes. If a customer has a subscription or installment plan, the merchant may keep their card on file to process payments each billing cycle without needing to contact the customer again.

While it may seem more convenient to jot down a card number versus entering it into a system on the spot, storing customer credit card information on paper comes with major drawbacks and risks compared to digital storage. Paper receipts can easily be lost, stolen, or copied without permission. There's no way to encrypt paper, so anyone who can access the document can see the full, unprotected card numbers. Tracking who has accessed paper receipts is also difficult.

As a result, storing credit card info on paper greatly increases the risk of sensitive authentication information falling into the wrong hands and being used for fraudulent activities. A single paper receipt containing customer credit card information that gets misplaced or stolen could lead to a major data breach and all of the financial and legal consequences that come with it. Using paper storage for sensitive cardholder data is often considered a bad idea due to the lack of robust security measures.

The Dire Consequences of Improperly Storing Paper Credit Card Data

In 2019, a small jewelry store in Florida was broken into after hours. The thieves made off with several pieces of inventory—and a stack of paper receipts containing over 100 customers' credit card numbers. The store was soon hit with a flood of chargebacks from fraudulent transactions on those stolen card numbers, amounting to thousands of dollars in losses that the store had to absorb. On top of that, the store faced:

  • A $10,000 fine from their acquiring bank for violating PCI DSS requirements by storing unprotected full credit card info
  • A class action lawsuit from angry customers whose customer credit card information was breached, resulting in a $50,000 settlement
  • Scathing media coverage and dozens of negative online reviews from customers calling out the store's negligence with their personal information

Unfortunately, this store's experience is not an isolated incident. Businesses that fail to properly secure paper records containing cardholder data are at serious risk of unauthorized access to credit card info, with severe financial and legal ramifications. The PCI SSC may levy fines of $5,000 to $100,000 per month for PCI compliance violations on top of any fraud losses. Lawsuits from affected customers can easily cost hundreds of thousands in settlements and legal fees. And once a business has lost customer trust by putting their card information at risk, it can take years to rebuild their reputation—if they even manage to stay in business.

The consequences of improperly handling paper credit card records are simply too high to risk. Business owners must take the necessary precautions to protect this data as if their business depends on it—because it does.

PCI DSS Requirements for Storing Credit Card Data on Paper

The PCI DSS has strict requirements around paper receipts containing cardholder data that all business owners must follow:

  • Never write down the card verification value (CVV), PIN, or full magnetic stripe data—it's against PCI rules to store this information even on paper
  • Physically secure any paper documents containing card numbers in a locked drawer, safe, or other restricted-access area
  • Limit access to paper records to only employees who need them for their job function
  • Mask the primary account number (PAN) so that, at most, the first 6 and last 4 digits are visible if the full PAN is written down
  • Cross-cut shred paper records containing card data as soon as they are no longer needed for business or legal reasons
  • Have a written policy documenting your procedures for securely storing and destroying paper receipts containing credit card info

To stay PCI compliant, it's essential that all employees who may handle paper receipts with customer credit card information are trained on and held accountable to these requirements. Merchant service providers should also educate clients on these rules to avoid exposure.

Paper Credit Card Data Handling Best Practices

In addition to meeting PCI DSS requirements, merchants can further reduce risk by adopting these best practices for paper credit card records:

DO:

  • Avoid writing down full card numbers altogether if possible—instead, use abbreviated PANs or a reference number that maps to credit card info securely stored in a PCI-compliant digital system
  • Lock paper receipts containing card information in a secure area with strict access controls, like a badge reader or access log
  • When you must write down full PANs, use strong security practices like only writing a portion of the number on each page of a multi-page document
  • Designate a specific employee or team to be responsible for the secure storage, tracking, and destruction of paper receipts
  • Partner with a PCI-certified document destruction vendor for secure shredding services

DON'T:

  • Leave paper receipts containing card numbers unsecured on desks, printers, copiers, or fax machines
  • Store paper receipts any longer than absolutely necessary for a specific business need
  • Give employees access to stored card numbers without proper training and a legitimate business purpose
  • Let employees take paper receipts offsite without a secure transport and storage plan
  • Dispose of paper receipts in the trash or standard recycling bin without shredding them first

Merchants who collect credit card transactions on paper should regularly audit their document storage and handling practices to look for opportunities to reduce paper usage and ensure PCI requirements and best practices are being consistently met.

Proper Paper Credit Card Handling is Worth the Effort

Despite the digital transformation of payments, many merchants still have legitimate reasons to collect credit card info on paper. But with cyber criminals increasingly targeting small businesses and paper receipts as an easy entry point, properly securing those paper documents is more critical than ever.

PCI DSS requirements provide a baseline, but going above and beyond to implement paper-handling best practices is key to minimizing risk and maximizing customer trust. A single unsecured document containing customer credit card information can lead to devastating financial, legal, and reputational consequences if it falls into the wrong hands.

The effort required to lock down credit card info security is well worth it for the peace of mind that strong customer privacy protection provides. Every step merchants take to shield customer credit card information from prying eyes is an investment in their business's long-term success. Customers will reward merchants they can trust to handle their information with integrity across every channel—including good old-fashioned paper.

Securely Store Your Customer’s Card Information with Zen Payments

Having a partner to help meet PCI compliance is a large burden for business owners. The services we offer at Zen Payments can help you meet compliance and securely store your customer’s data.

Contact us today to see how Zen Payments can be a partner in securely storing your customer data.

Get Started With
Zen Payments


Our merchant service specialists are the best in the business and will work with you from start to finish to get your account approved!

Ready to Start Proccesing?
Fill out this form and a merchant services representative will be in touch!
Phone Number

Already filled out a form?  Login


Thumbnail

Lizzy joined the Zen Payments team following her graduation from Utah Valley University. As a dedicated customer service representative, she brings extensive experience in client relations and customer support. Lizzy is committed to delivering exceptional service to all Zen Payments clients.


Don't forget to share this post!
Zen Logo
Feel free to reach out to us with questions or for general support, available 24 hours, 7 days a week!
email iconsales@zenpayments.comphone icon(877)-511-3402Partner Login
© 2024 Zen Payments | All rights reserved
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service  apply.