Update: 9/18/2020 — There is a new and more up to date article about credit card authorization forms.
The post includes a tutorial video and a link to download free credit card on file templates which are better to use that these standard credit card authorization templates.
Now, on to the original post from 2013. —
Your doors are open, your merchant account is up and running and the orders are coming in.
Your sales process allows for your customers to buy from you by writing their credit card number on an authorization form and sending it to you.
You’re wondering how to properly accept payments via credit card authorization forms.
With the advent of PCI compliance and other regulatory measures, there are two main reasons you make sure you’re following proper procedures other than of course, getting the necessary cardholder data to process the payment:
- For your protection against all possible chargeback situations
- To comply with PCI guidelines
Let’s explore a couple of considerations related to accepting credit card authorization forms so you can properly advise your customers and employees.
Suggested fields to have on the form
Whether you’re accepting an authorization form for a one time payment or for a recurring payment you want to make sure that you have certain fields filled out in order to properly process the transaction.
For example, if you gather the name, credit card number and billing zip code, but forget to ask the customer for the CVV2 number on the back of the card, you might not be able to process the transaction. Depending on how your merchant account is configured, address verification permissions can be set to decline transactions if all fields aren’t entered at the time of sale.
So that’s why it’s important to pay attention to and enter all of the data fields on your form.
Here’s the minimum suggested info although this certainly is not a requirement. Typically speaking the more customer data you gather the better as long as it’s stored properly.
Either way, here is a list of the recommended items that you should have on the form:
- Date
- Brand Of Card Being Charged (e.g. Visa, Mastercard, Discover, AMEX)
- Cardholder Full Name
- Card Holder Billing Address
- Card Number
- Card Expiration Date
- CVV2 Code (3 or 4 digit code)
- Extra Contact Information (phone number, email, etc…)
Here’s a sample authorization form with the suggested fields in place.
To download a copy of this document to Click Here
Turning verbal authorization into written proof
The simple reason for gathering an authorization form from your customer for the sale of a product or service is so that you have proof that the customer authorized you to charge their credit card for the product or service you provide.
When considering the possibility of a chargeback, if you are questioned as to whether the charge was authorized, you will be able to provide proper documentation to validate the charge.
Add a purchase order
If you don’t already have one, it’s never a bad idea to have a purchase order in place that goes along with the credit card authorization form.
The purchase order can and should have all of the customer information on it—as listed above—with the exception of the credit card number itself.
The credit card number is left off the purchase order so that document can be saved without being required to jump through the PCI compliance hoops that go along with storing credit card numbers.
Methods of delivery
After your customer has agreed to buy from you, if their method of payment involves a credit card authorization form, you have a handful of options to collect the form.
Your choices are:
- Fax
- Hand delivery (in person)
- Email (PDF attachment)
Fax, mail or hand delivery are the preferred methods.
I have listed these in order of preference according to ease of PCI compliance. In other words fax is the most secure method to transmit a credit card authorization.
Yes, fax still trumps the almighty email.
When it comes to securely passing data from one person to the next, an analog phone line is a closed circuit with encrypted data signals making the likelihood of someone hacking into a phone line during a fax submission highly unlikely.
The same cannot be said about email transmission. We all realize at this point that it’s not very hard for professional hackers to get into email.
For this reason, it’s highly discouraged to allow your customer to email you a full (or even partial) credit card number in the body of an email. This practice makes you extremely vulnerable to a security breach.
Just remember that you should never, ever allow a customer to email you their credit card number in the body of the email.
Shred it or Store it?
After receiving the authorization form via fax, mail, or hand delivery, it’s okay shred the form or to store it electronically as long as it’s stored properly.
Some would say you should shred it but it’s actually a matter of preference. Again, if you have a safe storage measure in place it’s not a problem – e.g. firewalls for electronic storage and locking file cabinets for paper storage.
You will be required to answer a couple additional questions on your annual PCI compliance audit, so it’s completely up to you.
Proper storage practices include:
#1 – Locked Cabinet
If the paper document is stored away from other customers in a locked filing cabinet it is permissible to keep the paper file. Some businesses even make it a practice to store paper files in an off-site storage location.
#2 – PDF or Electronic File
If the authorization form is stored electronically on company servers with the proper firewalls in place it will still pass PCI certification and compliance requirements.
Again, it is important to note, that the proper firewalls must be in place and a security scan during routine yearly compliance audits will ensure that this measure is followed.
Just keep it safe
Hopefully this has answered your questions about credit card authorization forms and even given you an idea of how to structure one for your business.
In the end, as long as you’re guarding your customers’ valuable cardholder data you are within the walls of compliance.
so PCI DSS Compliance (at least in the 2014 3.0 version) requires that the CVV2 code or similar (the 3- or 4-digit code that appears next to the signature panel on the back of most cards, your “CVV2 Code” form field above) cannot in fact be *stored* with the rest of the data in the merchant’s credit card storage system, whatever the media used (paper included). This is per Requirement 3.2, which applies to card-not-present transactions.
Yet, this sample Form asks for it, and for a lot of offices, the *paper* is the primary medium on which *storage* takes place (which itself is covered by Requirement 9).
Is this something merchants should avoid? Does the sample Form above assume that this Form will be promptly and properly destroyed (covered by Requirement 9.8) after initial use?
Is the confirmation of non-storage of their own CVV2 something the *customer* of the merchant is entitled to verify?