What Should a PCI Compliant Credit Card Authorization Form Look Like

When you pay by credit card and the card is not available, you take on a certain degree of risk. To guard against this risk, you can ask your customers to sign a document that allows you to withdraw funds from their cards on an ongoing basis. This document is called a credit card authorization form.

Although not legally required, credit card authorization forms may be a best practice for merchants in certain situations. It is also advised that you inform your client and provide them with how fees will be handled in future transactions.

See Also: PCI Requirements for Storing Credit Card Information on Paper

A chargeback is a dispute process that happens when a customer disputes a charge received from your company and asks the card issuer to withdraw that charge. A credit card authorization form is an excellent way to avoid chargebacks because you prove that the customer made an approved charge.

You have a much better chance of winning your case with the card issuer if you have a signed document by the cardholder authorizing you to receive payment on their card.

What is a credit card authorization form, and why is it used?

A credit card authorization form is a typically physical document signed by the cardholder that authorizes the merchant to make a payment using the credit card for a specific period. The credit card authorization form is an official document. The cardholder signs the document to authorize the business. The merchant can then charge the card a fixed amount for a certain period.

The credit card authorization form is typically used by businesses so that they can continually charge the cardholder. The credit card authorization form is also essential for avoiding chargebacks.

A chargeback occurs when a customer does not participate in a charge from the business. It then asks the card issuer to reverse the transaction.

The credit card authorization form typically includes:

  • Card holder’s credit card information (card type, name on card, card number, Expiry date)
  • Seller’s business information
  • Cardholder’s billing address
  • Letter authorizing the seller to withdraw money from the customer’s card on file
  • Cardholder’s name and signature
  • Date

There is no place for CVV on the credit card authorization form because recording a customer’s CVV violates PCI standards. If you wish to enter a payment manually, you must request the CVV directly from the customer each time you enter the card.

PCI compliance standards require all businesses that process, store, or transmit credit card information to limit physical access to cardholder data. Keep cardholder data secure by storing completed forms in a secure room or file cabinet and restricting access to only employees who require this information to perform their duties.

When do you use the credit card authorization form?

The primary purpose of the credit card authorization form is to provide proof that the cardholder has sufficient funds for the transaction. Therefore, the user has to fill in all the essential details to verify their card.

Completing the credit card authorization form is only the first step in obtaining approval for purchases. There are some more essential steps to follow to protect both buyer and seller.

See Also: PCI Compliance Recommendations for Mail and Fax Orders

When the user uses a credit card to make a payment, information about the card is obtained by scanning the credit card at the cashier. By swiping the card, all the details are instantly visible. In the case of a credit card authorization form, the form containing the card and transaction information is sent to the relevant company.

Another way to submit card details is to send the information through the merchant’s payment device manually. However, neither the buyer nor the seller is secure when sensitive data is sent manually via the merchant’s payment device.

See Also: PCI Requirements For Storing Credit Card Information

Whichever method is used to send card information, the next step is to send the credit card authorization form to the issuing bank. The respective processor company will perform this step.

The bank then validates the account verification, card expiration date, and account balance before continuing. Then, the bank transmits the authorization number to the agency’s internet application over the internet. If the request is approved, the required money is deposited to the seller by the bank.

In general, the form contains all the information necessary for the entire process of shopping with a credit card. Before completing the transaction, the company may request that the cardholder complete the credit card authorization form and send it to them via fax.

There are several situations where you may need a credit card authorization form. It is essential to use a credit card authorization form, especially if you do not have access to a credit card while performing the transaction.

  • Use a credit card authorization form if the cardholder is not physically present at the transaction time. For example, if your customers order online, via email, or by phone.
  • A credit card authorization form is required for businesses without traditional stores. If your company does not operate with physical infrastructure, a credit card authorization form is a must.
  • You can also use the credit card authorization form for your future credit card bills. When you make the transaction, the customer’s credit card is not charged. Instead, the sale has a pending status on the cardholder’s account. These are commonly known as “authorization-only” transactions. Such transactions are common with car rental companies and hotels.
  • You can use the credit card authorization form to authorize recurring or ongoing payments. These are also known as “card on file” transactions. This is when the cardholder authorizes the business to charge for recurring payments. Subscription-based services are examples of such transactions. The subscriber may charge a subscription fee from the cardholder every month.

Tips to remember when accepting a credit card authorization form

Credit card authorization forms are beneficial for your business. Without credit card authorization forms, you risk putting your business in financial jeopardy. However, there are some security tips and PCI requirements to remember when accepting credit card authorization forms for your business:

  • Never store customers’ security code data while making transactions. Storing the security code is against the rules of card and payment brands. If you cannot protect such sensitive data, there could be huge problems for your business.
  • Recording a customer’s CVV is a violation of PCI standards. That’s why there shouldn’t be any fields for CVV on the credit card authorization form. If you want to enter a payment manually, you must request CVV directly from your customer each time you enter the card.
  • The cardholder’s CVV or CVV2 can never be stored after authorization, even if encrypted on paper or digitally.
  • It is not convenient to store the full PAN (primary account number) on paper. According to PCI DSS Requirement 3.4, the card number must be rendered unreadable wherever it is stored.
  • If you have a legitimate reason to store cardholder data, you should implement a quarterly card data wipe plan.
  • PCI compliance standards require all businesses that process credit card information to restrict physical access to cardholder data. Keep cardholder information secure by storing completed forms in a safe room or filing cabinet. Also, limit the access to employees only who require forms to perform their duties.
  • Credit card authorization forms must be in a separate locked environment. For example, if a media disk is in a locked room, the sensitive files should be in a separate locker with nothing else.
  • You should keep a physical log to track who removed what from the secure area where credit card authorization forms are kept and, if different, who used it.
  • You must maintain a record of visitor information and physical audit permissions of activities in any area where payments are processed, including visitor name and company and facility personnel allowing physical access.
  • You can also store completed forms in an encrypted private client portal using a secure file transfer application. However, sharing a PDF via email can create a security vulnerability.
  • If you will send your customer a copy of the credit card authorization form online, encrypt the PDF and send it using an encrypted email.
  • You may retain all signed credit card authorization forms for up to two to three months after you discontinue card enrollment, as chargeback times can vary.

What are the alternatives to paper credit card authorization forms?

Using paper credit card authorization forms can be risky and, in some cases, inefficient, and there may be situations where customers don’t want or like to use them.

  • Online payments via the hosted checkout page. Customers make their payments via a direct link to the third-party hosted checkout or embed an iframe on the merchant website.
  • Pay from a text or email message. Low-cost, non-integrated solutions are fast and easy to adopt.
  • Electronic Invoice Submission and Payment. It is an integrated solution for customers to pay bills, including automatic updating of the ledger. Some require a portal login to pay, and others enable direct payment from email or text.

If customers are not self-paying, request a signed PCI Compliant credit card authorization form to reduce the risk of disputes for variable and recurring sales. PCI Compliant credit card authorization forms contain a token ID instead of the card number and are worthless as the information cannot be viewed by thieves if stolen. This also reassures customers that security best practices are in place.

Surkay Baykara
Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

What’s New in PCI DSS v4.0?

PCI DSS v4.0 replaces PCI DSS version 3.2.1 to address emerging threats and technologies better and provide innovative ways to combat new threats.

Firewall Rule Configuration Best Practices

When it comes to securing firewall rules, firewalls have a sensible procedure to follow. Whether you're upgrading hardware or establishing a whole new environment, the order of the procedures will differ.

Advantages of Using a Credit Card Vault for PCI

A credit card vault is a tool or tool that securely stores customer credit card numbers. In most cases where you use a credit card vault when you accept a card number from a customer, sensitive data does not enter your device, computer, or network.

Related posts

Latest posts

What’s New in PCI DSS v4.0?

PCI DSS v4.0 replaces PCI DSS version 3.2.1 to address emerging threats and technologies better and provide innovative ways to combat new threats.

Firewall Rule Configuration Best Practices

When it comes to securing firewall rules, firewalls have a sensible procedure to follow. Whether you're upgrading hardware or establishing a whole new environment, the order of the procedures will differ.

Advantages of Using a Credit Card Vault for PCI

A credit card vault is a tool or tool that securely stores customer credit card numbers. In most cases where you use a credit card vault when you accept a card number from a customer, sensitive data does not enter your device, computer, or network.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!