Question: I work for an e-commerce company and have a question about storing credit card information. In the past, if an order contained potentially fraudulent information we would request a credit card authorization form, which would require a front and back scan of the card as well as a scan of their ID. I am curious if this is PCI compliant, asking and storing that information? If we continue to ask for this information, would we comply by asking them to black out the middle eight digits? Also, how long can we store hard copies of this information while still complying?
Answer: If copying the card also copies the CVV or other authorization data, you are never permitted to store such data. It sounds as though this would be captured if a full front/back scan is performed. So the act of capturing this information is okay, but the act of storing it is non-compliant.
Your company would not be permitted to store copies of full PAN/CVV for any period of time under any circumstance; however, after obtaining this information you could sanitize it for storage by blacking out (with a black sharpie – whiteout would not work since it can be removed) the non-permissible bits that must be rendered unreadable.
Additionally, all of the physical security controls associated with safeguarding cardholder data would need to be implemented. So, for example, physical controls around the filing cabinets where this data is stored.