Q

Choosing PCI DSS-compliant service providers

Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.

I'm a small retailer, and I've read conflicting information online about whether a mobile payment application that I plan to use is PCI DSS-compliant. If I use this type of product, do I have to do all the paperwork and such related to PCI?

The bottom line is that if you hold a credit card merchant account, there is nothing you can do to completely absolve yourself of PCI DSS-compliance responsibility. If you consult the terms of your merchant agreement, you will find language that places the burden of compliance clearly on your organization. In cases where you are using third-party service providers to implement all or part of your credit card processing, you are responsible for ensuring that you use only PCI DSS-compliant service providers and that you meet all of your other PCI DSS responsibilities.

That said, you may certainly reduce the burden of PCI DSS compliance on your organization by carefully choosing technologies and service providers that limit (or eliminate!) your internal handling of sensitive credit card information. One of the most straightforward ways to do this is to use a solution that takes advantage of point-to-point encryption (P2PE). This technology, also known as end-to-end encryption, uses hardware at the point of sale that encrypts credit card information using a key known only to the service provider and then sends the encrypted transaction to the service provider for processing. The merchant never has access to unencrypted credit card information in electronic form.

In the future, merchants using P2PE may be eligible to use an abbreviated compliance validation process if they meet the following criteria:

  • They use PCI SSC validated P2PE for all credit card processing and have properly implemented it.
  • No systems other than the P2PE devices store, process or transmit credit card information.
  • They do not receive or transmit cardholder data in any other electronic form.
  • They do not store any cardholder data in electronic form, even if it is encrypted.
  • They have removed all legacy cardholder data from their systems.

Merchants meeting these criteria are eligible to complete the abbreviated SAQ P2PE-HW that focuses on the specific responsibilities of P2PE users. There is a catch, however. Nobody is yet able to use these provisions because the PCI SSC has not added any P2PE products to its official list of Validated P2PE Solutions

Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts?
Ask your enterprise-specific questions today! (All questions are anonymous.)

This was first published in June 2014

Dig deeper on PCI Data Security Standard

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close