QSA's View on PCI Compliance for Mail Orders
So, let's for a moment take the complications of technology-based controls out of it and, for simplicity, consider exactly how the PCI Data Security Standard affects a decidedly more "low-tech" form of cardholder data -- hardcopy transactions.
No, we have not chosen to exercise our flux capacitors. Rather, as hard as it may be to fathom in this modern era of iTunes and Amazon-fueled e-commerce, many transactions continue to be conducted by fax and mail.
Many orders still flow through this payment channel and, as is the case with all cardholder data, it must be secured, handled in compliance with the PCI DSS.
Ok, so perhaps given identity theft concerns, you personally would not submit your payment through such a method. Nevertheless, many orders still flow through this payment channel and, as is the case with all cardholder data, it must be secured, handled in compliance with the PCI DSS, and assessed as in scope.
Should the orders arrive with the morning mail? Should inter-office mail be used for departmental transfers? Should the orders be discarded into open recycling bins after being processed? Well...no. No, they should not.
For purposes of example, let us assume that all orders will be manually entered into PA-DSS compliant and modem-connected POS terminals. As such, with the exception of a cardholder data flow and perhaps a logical "network" diagram for good measure, PCI requirements 1, 2, 4, 5, 8 and 11 will mostly prove non-applicable. However, requirement 3's key management and 6's change management controls will remain in play, in addition to many of the access controls and logging requirements found within 7 and 10. And, of course, both the physical security requirements of 9 and organizational policies and procedures within requirement 12 will continue to apply as well.
What might such a compliant environment look like? Perhaps all mail orders will be received in security envelopes and addressed to a single-purpose Post Office Box. Daily, and per documented key management procedures, one of two authorized key custodians will sign out the PO Box key and a locking courier bag key from a combination locked, wall-mounted key storage box located in a secure processing room.
With the corresponding locking courier bag in hand, the custodian then transports the keys and bag to the Post Office, where they collect all orders. Placing the orders within the bag, they lock the bag and the PO Box, before promptly returning to the secure processing room, where they unlock the bag and provide all contained orders for processing. Thereafter, they sign back in the keys, return them to storage, and return the bag.
The processing room should have video monitoring of its entry/exit points and badge access to supplement facility security controls that include a manned reception desk, visitor logs and limited access to the badging system itself. Within the processing room, all mail orders will be opened by background-checked and authorized personnel, keyed into the POS terminals, and promptly cross-cut shred.
Similarly, any fax originating orders should be received via a dedicated processing room terminating extension and handled in a similar manner. They will be processed by authorized personnel and disposed of through cross-cut shredding.
Need to add/remove a POS terminal? See requirement 6.4 concerning change management. Need to grant someone access to the processing room? Ensure that their job function requires it in compliance with requirement 7.1.2 and that the request is documented and authorized in accordance with 7.1.3.
Need to retain the order data for a 90-day period to accommodate returns? Define this and any other applicable statutory, regulatory or business requirements within the organizational data handling, retention, and handling procedures (Requirement 3.1). Further, either a locking file cabinet located within the secure processing room should be used, with its key also stored within prior mentioned key storage, or a third-party service provider engaged to facilitate secure storage (Requirements 9.5-9.6).
Additionally, any off-site media should be recorded in management-authorized tracking logs and transported by secure couriers or other delivery method that can be tracked (Requirements 9.7-9.8). Also, any service providers utilized in this process will be documented and managed in accordance with 12.8 and all such data will be marked as "Confidential" (Requirements 9.7.1).
While there are certainly far fewer requirements to comply with in a hardcopy-only environment, there is still plenty of work to do. It begins with careful planning and necessitates ongoing, active governance. As for merchants and service providers alike, take the time to identify all cardholder data flows irrespective of media as PCI compliance applies to it all.
About the Author: Peter Spier is President of the ISACA Western New York Chapter and a Senior Risk Management Consultant at Fortrex Technologies based in Frederick, Maryland. Peter attained his graduate degree from Syracuse University's School of Information Studies and over the course of 12 years of experience, has earned Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), Qualified Security Assessor (QSA), Information Technology Infrastructure Library (ITIL) Foundation version 3, and HITRUST CSF Assessor certifications; among other credentials.