Sending Credit Card and Debit Card Information by Email is Risky
Unlike many merchants, most associations never have a customer hand us his or her credit card to us make a payment.
Association and event managers usually process credit card payments using information provided to us through a secure/encrypted website – that is a site where the address/URL begins with “https://” – as part of a person registering on a website for a conference or professional development event.
There may be times when it seems like an easy solution to simply request credit card information via email instead of setting up a secure online registration system but credit card information sent by email is not secure.
The PCI (Payment Card Industry) Security Standards Council recommends that you should:
1. Discourage the sending of credit card information to the point of not processing credit card transactions when the information has been provided by email.
Email is transmitted and stored unprotected in clear text and leaves a long and often permanent trail of copies (for example: inboxes, sent folders, drafts folders, email trash, web browser caches, computer recycle bins, etc.).
Tell the customers that you would be in violation of PCI-DSS standards if you accepted credit card information by email.
2. Never use the “Reply” button in responding to your customers their original email without first deleting both of the following: all but the last four-digits of the credit card numbers and the three-numbers on the back of most credit cards (CVC code)1.
3. Remove your email address from any form/application or website that mentions credit cards.
4. Add the following (or similar) text in a very visible fashion to your form/application or website, discouraging the sending of credit card information over email:
“For your protection, we do not accept and will not process credit card information provided via email or text messages. Please contact us at x [insert telephone number] and we will gladly assist you.”
5. If an event attendee or association member cannot make a purchase online, then a fax or a telephone call are more secure alternatives.
(Please see the PCI Self-Assessment Questionnaires below on the correct handling of credit card information received by fax or phone.)
Benefit to Event and Association Managers of PCI Compliance
You can likely reduce your credit card processing fees and save money by becoming PCI compliant. The savings may apply to both your monthly fee and all processing fees.
Even if you do not decide to become PCI compliant, their Self Assessment Questionnaires can help you to improve your internal credit card processing procedures.
At Some Point You May Be Hacked
There is no way that you can guarantee that your website and/or server cannot be hacked no matter how much money you invest in technology so make the assumption that one day it will happen to you and make it as difficult as possible to happen, and as easy as possible to recover from.
1American Express cards have a four-digit CVC number on the front of their cards.
The above is provided for informational purposes only. It does not constitute legal, technical, or other professional advice, and you may not rely on it as such.