Question: We are developing our payment policy for a venue rental business and would like to request a credit card number to be submitted 14 days prior to the event to have on file for any damages that might occur during the event. Will I be in compliance by keeping this info until the event date?
Answer: So my take on this is that organizations can keep full PAN (primary account number) data and other cardholder data with the exception of SAD (Sensitive Authentication Data which includes the CVV2 value) on paper documents. There is no pre- or post- authorization requirement surrounding standard cardholder data. The pre-authorization caveat to storage refers only to SAD.
When keeping cardholder data on hardcopy/paper, requirements 9.5 through 9.8.2 (PCI DSS 3.0) apply. These controls include secure storage of the paper documents, proper access control to the paper documents, destruction of the paper documents when no longer needed, etc.
Here is 9.8.1 from DSS 3.0:
9.8.1 Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.
In my opinion, there wouldn’t be the need for the 9.8.1 requirement if cardholder data wasn’t allowed to be stored on hard copy documents.
All of this to say that the mantra “if you don’t need it, don’t store it” still applies. If you determine that cardholder data storage process is necessary for your business, I would advise you examine other ways to keep the card on file – e.g., implement a tokenization mechanism so that you can electronically enter the card number and receive back a token and then store that token. This is obviously much more involved than recording the information on paper, but it eliminates the need for cardholder data storage.