Lots of people ask this, so it must be time to blog it. “Does PCI apply to my company?” Ask yourself three simple questions, do you:
- STORE Credit Card data.
There is no reason to extoll the virtues of ensuring that if someone stores your data, you want it to be done safely. - PROCESS Credit Card data.
If you touch CHD (Cardholder Data, the term the ‘industry’ uses), in any way shape or form, you are a liability to the safety of that data. (If you disagree, leave your buddy’s daughter unattended with your credit card at a shopping center. She is only ‘temporarily in contact’ with it) - TRANSMIT Credit Card data.
We need not extoll the virtues of attacking valuable or sensitive data in transit.
So, if you pretty much do anything with Credit Card data, the Payment Card Industry probably cares that you are handling their data safely- it keeps the cardholders happy.
Now, let’s say that a company *does not touch* the CHD. At all. For all payment activity, the company pretty much outsources (if not ALL of) the payment processing to a ‘service provider’… what does PCI say about that?
PCI Requirement 12.8, “If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:
- Maintain a list of service providers.
- Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
- Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
- Maintain a program to monitor service providers’ PCI DSS compliance status.
Making it SIMPLE, if a company is in any way involved with Credit Card data, they need to be sure that those interactions align to the security requirements they are legally bound to (you might want to start with that PCI DSS stuff)
For ultimate clarity, go to the ‘Acquiring Bank’- a banking institution must ultimately accept responsibility for any risk presented by the transactions they receive from business partners (like the merchants that pay them to convert credit transactions into cash).
FINAL THOUGHT: Even if payment channels are outsourced, your online store, or you have completely eradicated any form of contact with the ‘actual credit card data stuff’- you may want to look at the Self Assessment Questionnaire stuff. If the company that processes CC data ‘for your company’ is hacked wide open, your company will still get the free press for getting hacked (even though you may not be paying the fines). (c’mon, if you outsource your CC processing, and they get hacked, you aren’t getting my business till you fix that…)
In all seriousness, PCI has evolved. Go check out the options for companies that see little, if absolutely no credit card data.
Trey Ford - Security Spin Control 