19
Feb
10

A Conundrum?

By PCIGuru Comments
Categories: Card Brands, PCI SSC and Requirement 3 - Protect stored cardholder data
Tags: , , , , , ,

Bear with me on this as there is a point.  It just takes a lot of set up to get to that point.

I am working with a client that issues corporate credit cards to its employees.  The PCI SSC has issued FAQ #1235 that states that these corporate cards are not covered by the PCI DSS and that it is up to the individual card brands to dictate the controls required for securing these corporate credit cards.

The card brands are stating that while not covered by the PCI DSS, corporate credit cards do need to be appropriately secured (see requirement 3 for some recommended security methods).  As far as any drivers for securing these cards, the card brands point to any relevant personally identifiable information (PII) laws and regulations.  However, the card brands do point out that any post authorization data related to these corporate credit cards such as billing statements that show the full PAN are in-scope for PCI DSS compliance.

The PCI SSC has just issued a change to the call center FAQ stating that CVV/CVC/CID cannot be retained in digital recordings.  The rationale is that once the transaction is complete, the CVV/CVC/CID information that exists in recordings is now covered by the PCI DSS because it is now post authorization data.

Do you see the conundrum?  Under the logic used regarding the call center, one could argue that a credit card would be considered post authorization data once it is used for a transaction.  Obviously, that cannot happen as the card would have to be redacted and could not be used again.  However, I have a couple of clients that are doing just that and are trying to apply the PCI DSS to their Human Resources and Travel departments because they store the employees’ corporate credit card information including CVV/CVC/CID.

As I have explained it to them, the differentiator in all of this is that in the case of the call center, all of the data in question is under the control of the merchant and therefore the merchant is responsible to ensure the security of the information.  In the case of corporate credit cards, the corporation is not acting as the merchant as they are acting as the customer on behalf of their employees.  As such, they are allowed to have the card information as long as the employee legally acknowledges that fact and that the card information is appropriately secured.

Advertisement

2 Responses to “A Conundrum?”

Feed for this Entry Trackback Address
  1. 1 Elton Hay
    February 28, 2018 at 3:23 PM

    Re post “Corporate Credit Cards, refers to FAQ #8715 – can not find such an FAQ.
    Can not tell date of this post either – so do not know how current it is.
    But have questions re PCI scope for corporate credit cards. Need to talk to someone who has a handle on this.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

« The Missing Link In Call Center Recordings
What Is Penetration Testing? »

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

February 2010
M T W T F S S
1234567
891011121314
15161718192021
22232425262728

%d bloggers like this: