I'm a small retailer, and I've read conflicting information online about whether a mobile payment application that
I plan to use is PCI DSS-compliant. If I use this type of product, do I have to do all the paperwork and such related to PCI?
The bottom line is that if you hold a credit card merchant account, there is nothing you can do to completely absolve yourself of PCI DSS-compliance responsibility. If you consult the terms of your merchant agreement, you will find language that places the burden of compliance clearly on your organization. In cases where you are using third-party service providers to implement all or part of your credit card processing, you are responsible for ensuring that you use only PCI DSS-compliant service providers and that you meet all of your other PCI DSS responsibilities.
That said, you may certainly reduce the burden of PCI DSS compliance on your organization by carefully choosing technologies and service providers that limit (or eliminate!) your internal handling of sensitive credit card information. One of the most straightforward ways to do this is to use a solution that takes advantage of point-to-point encryption (P2PE). This technology, also known as end-to-end encryption, uses hardware at the point of sale that encrypts credit card information using a key known only to the service provider and then sends the encrypted transaction to the service provider for processing. The merchant never has access to unencrypted credit card information in electronic form.
In the future, merchants using P2PE may be eligible to use an abbreviated compliance validation process if they meet the following criteria:
- They use PCI SSC validated P2PE for all credit card processing and have properly implemented it.
- No systems other than the P2PE devices store, process or transmit credit card information.
- They do not receive or transmit cardholder data in any other electronic form.
- They do not store any cardholder data in electronic form, even if it is encrypted.
- They have removed all legacy cardholder data from their systems.
Merchants meeting these criteria are eligible to complete the abbreviated SAQ P2PE-HW that focuses on the specific responsibilities of P2PE users. There is a catch, however. Nobody is yet able to use these provisions because the PCI SSC has not added any P2PE products to its official list of Validated P2PE Solutions.
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Dig deeper on PCI Data Security Standard
Related Q&A from Mike Chapple, Enterprise Compliance
Should companies obtain U.S. security clearance to join the Enhanced Cybersecurity Services program? Mike Chapple offers his perspective.continue reading
Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.continue reading
Expert Mike Chapple offers insight on how to maintain PCI DSS compliance when outsourcing Web hosting to a PCI-compliant provider.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.