Fitness Center Management: The Role of Keys and Filing Cabinets in PCI Compliance

November 29, 2011
By: Jeff Estes
ABCDM Administrator

We’ve all got them. For most of us in the industry filing cabinets are critical pieces of office furniture. We have to have a place to store things like contracts, printed emails, vendor agreements, and old utility bills. The same thing goes for keys. We have keys to offices, various doors and that closet that you keep toilet paper and the ugly mop bucket in.

I know that you probably look at that key ring sometimes and wonder how many of the keys actually still fit a real lock. You probably have keys on your key ring that you can’t even use anymore.

Did you know that a part of your PCI compliance standing has to do with your key and fitness center management strategy and what you store in your filing cabinets? You probably don’t think much about PCI compliance until you see it in an ABC Newsletter or on our website. You might get the occasional piece of mail that mentions it, but for the most part you just hope that ABC stays PCI compliant. You probably use our products and services and figure that you’re pretty safe on how you handle credit card processing. While it’s true ABC does do most of the “heavy lifting” when it comes to maintaining and providing PCI compliance, there is still a responsibility on you as a merchant to hold up your end of the bargain.

This month I want to discuss Key Access Control and the storage of PAN numbers (PAN=16 digit card numbers) on paper and in electronic storage.

To meet the spirit of PCI DSS compliance, you will need to adhere to their requirements and not violate the spirit of the agreement. Regarding your fitness center management and key control, you should maintain a log of keys where access to your cardholder data or networks can be obtained. This includes offices, workstations, unused network jacks, and network infrastructure. Keys should be checked out and back in, with a log where you can prove that you not only know how many keys you have in inventory, but who has them and who has not returned them. Some keys, like your front door key, should be marked as DO NOT DUPLICATE. Keys to filing cabinets and locked drawers should not be left sitting in the locks.

Most health club operators today know that writing down a credit card on a paper agreement, a receipt, or index card is a bad idea. The same thing goes for imprinting a card on the agreement or receipt. If you’re still doing manual imprints of cards you need to re-evaluate your risk portfolio and insurance coverage in the event that you get audited or have a breach. The fines, fees and negative publicity could destroy your business. Health club software provider, ABC Financial does provide PCI compliant data storage of credit card holder data via our website and DataTrak software. If you utilize our Card on File options and EAE you shouldn’t have a huge need to store credit card numbers anywhere else. If you do print out agreements or have older agreements on file consider destroying them or at least marking out the visible credit card numbers to maintain the spirit of compliance.

If you haven’t reviewed your quarterly compliance external scans please take a moment to verify that you’re fully compliant and don’t forget to check your status quarterly. If you experience a breach or get audited, your complimentary breach coverage may not be available.