I'm a small retailer, and I've read conflicting information online about whether a mobile payment application that...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
I plan to use is PCI DSS-compliant. If I use this type of product, do I have to do all the paperwork and such related to PCI?
The bottom line is that if you hold a credit card merchant account, there is nothing you can do to completely absolve yourself of PCI DSS-compliance responsibility. If you consult the terms of your merchant agreement, you will find language that places the burden of compliance clearly on your organization. In cases where you are using third-party service providers to implement all or part of your credit card processing, you are responsible for ensuring that you use only PCI DSS-compliant service providers and that you meet all of your other PCI DSS responsibilities.
That said, you may certainly reduce the burden of PCI DSS compliance on your organization by carefully choosing technologies and service providers that limit (or eliminate!) your internal handling of sensitive credit card information. One of the most straightforward ways to do this is to use a solution that takes advantage of point-to-point encryption (P2PE). This technology, also known as end-to-end encryption, uses hardware at the point of sale that encrypts credit card information using a key known only to the service provider and then sends the encrypted transaction to the service provider for processing. The merchant never has access to unencrypted credit card information in electronic form.
In the future, merchants using P2PE may be eligible to use an abbreviated compliance validation process if they meet the following criteria:
- They use PCI SSC validated P2PE for all credit card processing and have properly implemented it.
- No systems other than the P2PE devices store, process or transmit credit card information.
- They do not receive or transmit cardholder data in any other electronic form.
- They do not store any cardholder data in electronic form, even if it is encrypted.
- They have removed all legacy cardholder data from their systems.
Merchants meeting these criteria are eligible to complete the abbreviated SAQ P2PE-HW that focuses on the specific responsibilities of P2PE users. There is a catch, however. Nobody is yet able to use these provisions because the PCI SSC has not added any P2PE products to its official list of Validated P2PE Solutions.
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Related Q&A from Mike Chapple
Web application firewalls may be a way to better security, but organizations need to be aware of the compliance implications of WAFs.continue reading
An SEC report shows over three-quarters of financial institutions were subject to at least one cybersecurity attack. Expert Mike Chapple looks at ...continue reading
The Data Accountability and Trust Act is likely to become a law this year. Expert Mike Chapple advises organizations on how to prepare.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.