PCI DSS: Payment Card Industry Data Security Standard

Previous Topic

PCI DSS Requirements – Your role

PCI DSS: Payment Card Industry Data Security Standard The PCI DSS in Action PCI DSS Requirements – Your role

Processing a Card Payment

Asking a customer to insert, or tab their card themselves gives them control of the transaction process. You should avoid handling the card yourself where possible.

Never ask the customer for their PIN. This is sensitive cardholder account data that you do not need.

Card not Present

In cases where card present payments are not possible (for instance when taking payment over the phone), the best you can do is to ask the caller if the payment card belongs to them. If they say no, you should ask to speak to the cardholder.

If you do not hear the card number fully, ask the customer to repeat all of it again. Do not repeat the card number back to them. Ensure, if you are recording the call, that call recording is paused when asking for card information.

Recording card data

You must not write down cardholder account data unless the college has explicitly informed you this is part of the process to take payments

This is because hardcopy data is not secure and places this sensitive information at risk.

Any time the customer’s PAN is displayed (such as on a receipt), it should only display a maximum of the first six and last four numbers. For example 112233******7788

Email – No request should ever be made for credit card information to be sent by Email. Any received by email should be deleted immediately, and cardholder should be informed we cannot process information received via email

Previous Topic
Back to Lesson