How Does Taking Credit Cards by Mail Work with PCI?

August 21, 2015 • Published Categories PCI 101 Tags , , , , , ,

As is the case with taking credit cards by phone, receiving sensitive payment information by mail or fax can raise concerns in relation to your organization’s PCI compliance process. Why is it such an issue? Because when card data is handled manually, the corresponding security controls are as much about the procedural and physical as they are about the technology systems in use.

More often than not, organizations that accept credit card information by mail or fax are handling other sensitive information along with the card data, such as phone numbers, email addresses, physical addresses, etc. All personally identifiable information (PII) needs to be treated as important and protected, so you have to take a holistic approach to your security process.

The first step is to familiarize yourself with PCI DSS Requirement 9, because it covers the basics of physical controls and the sensitive data your business takes on. You should also review Requirement 3, which outlines the protection of stored cardholder data.

Here’s a best-practice example from a ControlScan customer that receives credit card by mail and fax:

They gather the data each day, securely transport it, log its movement to an authorized supervisor who distributes and tracks it until another authorized person processes it at an isolated/monitored terminal. Once processed, they redact and securely store it (per legal requirements) in a vault and (years later) when no longer needed, they destroy it.

Have additional questions about how the PCI DSS applies to your business? Visit or give us a call at 1-800-825-3301, ext. 2. We’d be happy to help.

Subscribe to this blog for additional tips and webinar announcements.

Leave a Comment