Industry News | November 30, 2009

Are Your Employees Writing Down Credit Card Numbers?

Read More About

An independent audit of 100 of the top restaurant chains in the U.S. revealed that 80 percent of those chains have at least one unit putting customers’ identities at risk of theft., an online and mobile transactions firm, recently released its PCI Risk Rating Study, which found that a number of restaurants are in violation of PCI regulations. The violations involve employees who write down credit card numbers given to them from customers ordering over the phone.

Noah Glass, CEO of, says the firm set about to perform the study after learning how strict the rules are for call centers often used by retailers for credit card transactions.

“I heard [about] these guidelines, which are very strict and include not allowing people to bring in writing implements with them into the facility and incinerating all documents and shredding all documents,” he says. “I started to think about our restaurants, who oftentimes take in credit card information over the phone for takeout orders. “

Glass says the firm randomly selected five units from each of the 100 top restaurant chains in the U.S. as part of the study. The firm called each of these units to place a takeout order, and noted which of those units had employees offer to write down a credit card number, an action that violates PCI regulations.

Results of the study showed that 80 percent of the chains had one unit or more write down the credit card number. Chains with nationwide online ordering tools were three times more likely to be in compliance of regulations, and pizza chains had 31 percent fewer violations of PCI guidelines.

Violations of the PCI guidelines may be so widespread, Glass says, because chains often believe that simply having a company policy is enough to comply.

“Where the rubber meets the road, you really do have operators who are still taking credit card information over the phone, and I think that there’s been this sort of false comfort of, ‘Well we have a policy, so it’s not being done,’” he says.

“It doesn’t really work when you’ve had a breach and you’re liable for hundreds of thousands of dollars, to say, ‘We have a policy against it.’”

On July 1, 2010, stricter PCI compliance rules go into effect across the U.S., which Glass says has restaurant IT employees rushing to fix the holes. He says there are many ways restaurant chains can assure that no credit card numbers are written down within units, including increased usage of call centers or online ordering.

“There needs to be more of a formal process in place for taking those credit card details in the risk of somebody using those credit card details outside of the restaurant,” Glass says.

By Sam Oches


I work in a call center and we recently had to take a test about credit card use in the test it stated that we are not to write down cc numbers and especially the security code. This is done on a regular basis at the company I work for if someones card has declined we have to write down the new card number with the exp date and the sec code and it goes into a box for the supervisor to handle. I have seen these papers on employees desks for days if they forget to turn them in. What do I do? We also recently started charging people for the shipping costs even if the stuff they ordered in out of stock. Please help.

Add new comment