The following article was prepared by Mike Taylor, C.P.M. for distribution to NAPM affiliate newsletters. 
March 07, 2001

Purchasing Card Security Plan
 for on-line ordering

I have suggested that we set up Purchasing Card and User Data security plans with vendors that we have blanket orders with. Here is a question that prompted a further explanation.

Question: The bigger picture is that we have requisitioners that are ordering from suppliers e:store sites that are not part of our commodity alliance suppliers. How do we handle notifying those suppliers about our expectations for a security plan? Isn't there some type of "industry standard" for suppliers that accept credit cards as payment method that part of their contract with their card holder bank is what process to follow in the event a card is compromised? Maybe it would be appropriate the P-Card process description to include some guidelines for all card holders to follow for doing business with e:store suppliers?

Answer: Good point;

In most cases, if we click into a vendor's web site and place an order, the user will be subject to the vendor's terms of sale which should be posted on the site. I doubt we will be able to negotiate any different terms and/or that a user would be willing to try. The vendor and us would also be obligated to follow the terms of our written agreement with the credit card company or bank for timely notification, etc. But who does the notifying and when?

For one-at-a time occasional purchases, we can't reasonably do much to protect ourselves. Users should be trained to look for and avoid flaky and risky vendors. User should also be directed to provide only the minimal amount of information necessary and to instruct the vendor NOT to STORE OR RETAIN P-CARD OR USER INFORMATION.

I'm more concerned when we have set up a long term agreement with a vendor. In that case, we have deliberately negotiated an agreement and directed our users to the specific vendor. We may have also provided the vendor with more detailed information about our users and/or P-card program. We are thus obligated to consider the risks involved with providing the information and
take steps to protect the interests of our company in the negotiated agreement. This must include talking reasonable precautions and making sure the vendor complies.

As we generate more e-commerce orders we need to be consistent about security concerns. You may already provide a plan to buyers and users? If not, we need to decide what we want to do and set something up so the buyers have consistent information to give to the vendors. Since many of these new e-commerce orders give users the opportunity to do 24x7 ordering, we also need to be prepared for problems that occur outside of normal business hours.

We should add some words to the P-Card user guide and provide some extra training. However, we need to be careful about publishing sensitive p-card account information where it might get distributed to the world.

Here are my thoughts about the security plan:

The security plan would become part of any long-term agreements or used whenever we provide credit card or user information outside the normal ordering process. For these situations we need to take a proactive approach to making sure a plan exists that will help mitigate the impact of any
credit card data loss.

Here are some points to consider in the plan:

Another issue you may want to address is the notification of users and other vendors if cards are compromised and on-line ordering shut down. If users are dependant upon using their purchasing cards to order supplies and we cancel the cards, how do we notify them to stop trying to order from other suppliers.


Probably never need it? We hope not, but just in case, it's easier to plan ahead.



MLTWEB is assembled and maintained by Michael L. Taylor, C.P.M. 
Materials and articles prepared by Mike may be shared for purchasing education provided that this source is cited and no fee is charged. The rights for any other use are withheld.
Copyright;  Michael L. Taylor, C.P.M.
Last Updated: 02/26/2012