Bear with me on this as there is a point. It just takes a lot of set up to get to that point.
I am working with a client that issues corporate credit cards to its employees. The PCI SSC has issued FAQ #8715 that states that these corporate cards are not covered by the PCI DSS and that it is up to the individual card brands to dictate the controls required for securing these corporate credit cards.
The card brands are stating that while not covered by the PCI DSS, corporate credit cards do need to be appropriately secured (see requirement 3 for some recommended security methods). As far as any drivers for securing these cards, the card brands point to any relevant personally identifiable information (PII) laws and regulations. However, the card brands do point out that any post authorization data related to these corporate credit cards such as billing statements that show the full PAN are in-scope for PCI DSS compliance.
The PCI SSC has just issued a change to the call center FAQ stating that CVV/CVC/CID cannot be retained in digital recordings. The rationale is that once the transaction is complete, the CVV/CVC/CID information that exists in recordings is now covered by the PCI DSS because it is now post authorization data.
Do you see the conundrum? Under the logic used regarding the call center, one could argue that a credit card would be considered post authorization data once it is used for a transaction. Obviously, that cannot happen as the card would have to be redacted and could not be used again. However, I have a couple of clients that are doing just that and are trying to apply the PCI DSS to their Human Resources and Travel departments because they store the employees’ corporate credit card information including CVV/CVC/CID.
As I have explained it to them, the differentiator in all of this is that in the case of the call center, all of the data in question is under the control of the merchant and therefore the merchant is responsible to ensure the security of the information. In the case of corporate credit cards, the corporation is not acting as the merchant as they are acting as the customer on behalf of their employees. As such, they are allowed to have the card information as long as the employee legally acknowledges that fact and that the card information is appropriately secured.
