PCI Conundrum Of The Week: When Plastic Meets Paper

PCI rules have always—and wisely—discouraged using payment card numbers for anything other than processing payments. But sometimes those rules run contrary to long-established paper practices, procedures that pre-dated PCI's creation. A good example of this conundrum involves a federal agency, tax-exempt status forms, and the procedure of copying a government-issued payment card (this one happened to be Visa branded) and placing a copy in the file cabinet.

This situation involves the U.S. government's General Services Administration (GSA) and some GSA interactions enjoyed by Benjamin Moore & Co. (the paint people). The conflict cropped up when the chain was dealing with some military accounts in Hawaii. The issue comes down to needing that payment card copy in the files (tax-exempt rules) but being unable to save the copy of a Visa payment card (PCI rules).

One store manager wrote in a memo: "Our accounting department has checked around with various tax agencies to determine what would be acceptable proof for tax exemptions. The 'federal government' and 'state tax authorities' have recommended making a photocopy of the government Purchasing Card and storing them in case they were needed for an audit. Does this make any sense? I am recommending that we don't store photocopies, but the accounting department is saying that if the federal government is recommending this procedure, that is what we must do."

Lovely. A conflict between the GSA—which is where bureaucrats are sent when they become too grumpy to work for the IRS—and PCI, two entities that are well known for their flexibility and willingness to listen to the reasons why their rules can't be obeyed.

"This is definitely a PCI compliance issue. I'm surprised that state and local taxation authorities would recommend making a copy of a GSA PCard (branded by Visa) and storing that hard copy to validate tax exemption status," said one Benjamin Moore IT manager, who asked that his name not be used. "We have a policy not to copy or store physical credit card numbers, although this happens frequently within stores against policy, such as when a contractor gives his credit card number to charge his monthly balance. I guess the state tax authorities assume that the copies would omit the sensitive information. That is what our policy will be to the stores. We'll be having more discussions on how we will instruct the stores to handle these situations. I was hoping we had something in writing from one of the states that explicitly said to copy the cards and keep them on file."

There is no clear answer to this conundrum, except to indeed save the cards but black out the offending data. Such an approach is hardly ideal, however, because there are no good standards for blacking out. Is a black magic marker acceptable? How much scribbling is needed? It would seem that when plastic meets paper, ROC wins. Translation: Keep the QSAs happy and make sure nothing is readable.

But what if GSA insists that the tax exempt proof must show the payment card number? After all, with the numbers fully blacked out, it's no longer much proof of anything.