PCI compliance question

[Jeff7181]

I ran into a situation today where a vendor is requiring that I give them credit card information over the phone in order to change what they have on file rather than allowing me to update it online where it was entered to begin with.

If I'm not mistaken, this is an issue of non-compliance with PCI standards because the phone operator is handling my credit card information.

Short term, my solution is not to buy from this vendor, but I'm curious whether this violates PCI regulations and I'm having a hard time finding that info in some of the PCI compliance guides I've found online.

 

[Oceanas]

That is allowed under PCI. PCI, as it would apply to vendors, deals with how CC data is stored. The guidelines say that when the PAN (card number) is entered into whatever system they are using (and confirmed for accuracy) it should be rendered unreadable by the system. Even in that case, people with a legitimate need to have access to the actual PAN are allowed to do so.
You can read a bit about it here, although that document mostly deals with call center recordings.

 

[Rage187]

it would be non compliant if they then wrote it down on a sticky note and put it on their monitor.

 

[mvbighead]

Not a PCI compliance issue.

I work IT in a call center. We have to go through PCI compliance shebangs all the time. If taking a CC over the phone violated PCI, that'd put about 500-700 people out of work in my office, and render the office non existent, as 90% of the other positions wouldn't be necessary at that point

 

[Jeff7181]

Yeah, I did come across that, but like you said it deals mostly with call center recordings. I'm just pissed because I'd like to continue buying from this vendor, but I will not give my credit card number, name, expiration date and CVV over the phone. That's the reason I'm in this situation now... three months ago I had to get a new credit card because some fraudulent charges showed up on my account... coincidentally less than a week after I had given my card information over the phone to make a payment.

 

[mvbighead]

Yeah, I did come across that, but like you said it deals mostly with call center recordings. I'm just pissed because I'd like to continue buying from this vendor, but I will not give my credit card number, name, expiration date and CVV over the phone. That's the reason I'm in this situation now... three months ago I had to get a new credit card because some fraudulent charges showed up on my account... coincidentally less than a week after I had given my card information over the phone to make a payment.

Not to be a asshat, but if you went to a restaurant and at a later date seen more fraudulent charges, would you stop going to restaurants?

If you trust the vendor and have a good relationship with them, why the big deal about giving them the number over the phone? Hell, they already have your other number in the system. If they have a bad employee, they have a bad employee. No reason to stop using a credit card because you encountered one dickhead. That's why most credit cards have some method of fraud protection.

 

[deadlyapp]

I don't know. Citibank would provide me credit card numbers and expiration dates for customer credit cards over the phone while I was working at sears. They did require quite a number of hoops to jump through to get those numbers obviously, but it wasn't difficult to do if you had the customer there and their information.

 

[Jeff7181]

Not to be a asshat, but if you went to a restaurant and at a later date seen more fraudulent charges, would you stop going to restaurants?

If you trust the vendor and have a good relationship with them, why the big deal about giving them the number over the phone? Hell, they already have your other number in the system. If they have a bad employee, they have a bad employee. No reason to stop using a credit card because you encountered one dickhead. That's why most credit cards have some method of fraud protection.

I would stop going to THAT restaurant, yes. Especially if they allowed me to provide my payment information in a secure manner, then the next time I visited with a different credit card, made a hard copy of my card number and personal information.

To me, that's the equivalent of what's going on here. They allow me to make a purchase by sending my encrypted payment information to them and then in order to change that to make additional purchases I have to provide my payment information in an insecure manner. I never would have made a purchase from them in the first place if I had to read them my credit card number over the phone.

 

[Jeff7181]

I don't know. Citibank would provide me credit card numbers and expiration dates for customer credit cards over the phone while I was working at sears. They did require quite a number of hoops to jump through to get those numbers obviously, but it wasn't difficult to do if you had the customer there and their information.

Right... so why should I just give my information to some person who could do anything they want with it?

 

[brandonb]

Simply PCI requires:

1) The 3 digit code not to be stored in the database after the CC payment is processed.
2) CC Account number is masked on an agent screen if pulling up your details.
3) CC Account number is encrypted in the database.
4) If a call center has call recording, they have to turn off recording of your phone call while you are stating your CC# and 3 digit code. Alot of times thats why you get transferred to another person for payment processing when calling someone, but more sophisticated systems allow the agent to click a button on their screen to toggle recording on and off.

<--- Works for a call center and a collection agency.

There may be more, but thats whats been relayed to me, since I do the programming, I have to handle the first 3 bullet points.

 

[seepy83]

Simply PCI requires:

1) The 3 digit code not to be stored in the database after the CC payment is processed.
2) CC Account number is masked on an agent screen if pulling up your details.
3) CC Account number is encrypted in the database.
4) If a call center has call recording, they have to turn off recording of your phone call while you are stating your CC# and 3 digit code. Alot of times thats why you get transferred to another person for payment processing when calling someone, but more sophisticated systems allow the agent to click a button on their screen to toggle recording on and off.

<--- Works for a call center and a collection agency.

There may be more, but thats whats been relayed to me, since I do the programming, I have to handle the first 3 bullet points.

There's much more to it than that. PCI has over 200 requirements that may apply to any given merchant depending on how they process credit cards.

But, like was said earlier, the situation described by the OP is not a non-compliance.

 

[mvbighead]

I would stop going to THAT restaurant, yes. Especially if they allowed me to provide my payment information in a secure manner, then the next time I visited with a different credit card, made a hard copy of my card number and personal information.

To me, that's the equivalent of what's going on here. They allow me to make a purchase by sending my encrypted payment information to them and then in order to change that to make additional purchases I have to provide my payment information in an insecure manner. I never would have made a purchase from them in the first place if I had to read them my credit card number over the phone.

But that is not the practice you are applying.

I said a restaurant, followed by restaurants (as in, any business that is known as a restaurant).

You said you used your card to make a payment over the phone, and thus will not do business with anyone over the phone using a CC.

See what I am getting at here? You ceased doing business with all businesses over the phone because you had a problem with one business, so why would the same practice not apply to restaurants? If you have a problem with one, why would you assume you wouldn't have one with someone else?

My general point is you are assuming all call based CC sales are going to result in the use of fraudulent use of your CC. The reality is, you are speaking with one sales agent who is entering the data into a system (most likely). The only insecure part is that particular agent and their practices. Otherwise, it is no different than entering your CC in a system on a form on the Internet. When an agent is found to be writing that data down, they are fired on the spot, and potentially gone after legally.

In any case, you are writing off payment over the phone when the reality is, you had one bad experience with one bad agent.

EDIT: To further my argument about restaurants, you should know that the waiter/waitress has access to your credit card number, at that point in time. Or the store cashier who needs to run your card through the slider that only they have access to. It may be limited access, but it is the same limited access that is given to the person on the other end of your phone call.

 

[Jeff7181]

But that is not the practice you are applying.

I said a restaurant, followed by restaurants (as in, any business that is known as a restaurant).

You said you used your card to make a payment over the phone, and thus will not do business with anyone over the phone using a CC.

See what I am getting at here? You ceased doing business with all businesses over the phone because you had a problem with one business, so why would the same practice not apply to restaurants? If you have a problem with one, why would you assume you wouldn't have one with someone else?

My general point is you are assuming all call based CC sales are going to result in the use of fraudulent use of your CC. The reality is, you are speaking with one sales agent who is entering the data into a system (most likely). The only insecure part is that particular agent and their practices. Otherwise, it is no different than entering your CC in a system on a form on the Internet. When an agent is found to be writing that data down, they are fired on the spot, and potentially gone after legally.

In any case, you are writing off payment over the phone when the reality is, you had one bad experience with one bad agent.

EDIT: To further my argument about restaurants, you should know that the waiter/waitress has access to your credit card number, at that point in time. Or the store cashier who needs to run your card through the slider that only they have access to. It may be limited access, but it is the same limited access that is given to the person on the other end of your phone call.

I see your point. The payment I made over the phone that resulted in fraud was unique. It was the first time I had done that and it just confirmed that I was correct to avoid making payments over the phone.

I suppose I'm making a bigger deal out of this than it actually is, and maybe if I changed the way I manage my personal finances and segregated high risk transactions it wouldn't be such a pain when my information is compromised and I have to get a new card.

Regardless... a merchant that provides a method for me to enter payment information, but not update it online would appear to have an antiquated system and probably shouldn't be trusted with my payment information to begin with.