In this article, we will discuss collecting and storing credit card information in Documoto and the responsibilities of Documoto customers regarding Personal Identifiable Information.
Regulations such as the European Union’s General Data Protection Regulation (GDPR) and various US regulations at the Federal and State level set rules and liabilities for business that control or process Personally Identifiable Information (PII). There can be substantial business liability for exposing PII outside its intended use.
Sensitive PII is a type of PII with even higher protection requirements. Sensitive PII includes information such as social security number, birth place, and financial information, such as a credit card number.
Web Application Services Agreement (WASA)
Documoto takes steps to secure your content, including utilizing encryption between our servers and your users, yet there is always the possibility of a breach or security failure exposing information. Our Web Application Services Agreement makes it clear that you own all your content. It is the customer's choice to decide what information to collect and how to use it. This includes information collected from placed orders. However, we highly recommend that you do not use Documoto to request or store sensitive PII.
Here are a few alternative suggestions we can make:
- Customer could obtain enough customer information via the order to contact the order placer to securely obtain credit card information over the phone, or by emailing a secure method for paying via credit card (such as PayPal, Square, Stripe or some other similar service).
- Customer could add a label on the order submission form that credit card payments will be processed after order submission, and that the order placer will receive an email or call requesting payment.
- Customer could implement an eCommerce system with a payment processing solution included that integrates to Documoto.