I'm a small retailer, and I've read conflicting information online about whether a mobile payment application that...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
I plan to use is PCI DSS-compliant. If I use this type of product, do I have to do all the paperwork and such related to PCI?
The bottom line is that if you hold a credit card merchant account, there is nothing you can do to completely absolve yourself of PCI DSS-compliance responsibility. If you consult the terms of your merchant agreement, you will find language that places the burden of compliance clearly on your organization. In cases where you are using third-party service providers to implement all or part of your credit card processing, you are responsible for ensuring that you use only PCI DSS-compliant service providers and that you meet all of your other PCI DSS responsibilities.
That said, you may certainly reduce the burden of PCI DSS compliance on your organization by carefully choosing technologies and service providers that limit (or eliminate!) your internal handling of sensitive credit card information. One of the most straightforward ways to do this is to use a solution that takes advantage of point-to-point encryption (P2PE). This technology, also known as end-to-end encryption, uses hardware at the point of sale that encrypts credit card information using a key known only to the service provider and then sends the encrypted transaction to the service provider for processing. The merchant never has access to unencrypted credit card information in electronic form.
In the future, merchants using P2PE may be eligible to use an abbreviated compliance validation process if they meet the following criteria:
- They use PCI SSC validated P2PE for all credit card processing and have properly implemented it.
- No systems other than the P2PE devices store, process or transmit credit card information.
- They do not receive or transmit cardholder data in any other electronic form.
- They do not store any cardholder data in electronic form, even if it is encrypted.
- They have removed all legacy cardholder data from their systems.
Merchants meeting these criteria are eligible to complete the abbreviated SAQ P2PE-HW that focuses on the specific responsibilities of P2PE users. There is a catch, however. Nobody is yet able to use these provisions because the PCI SSC has not added any P2PE products to its official list of Validated P2PE Solutions.
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.