Ask the Expert

Credit card data storage: Virtual terminal protocol for PCI compliance

If our organization uses a virtual terminal to process credit card transactions, and the actual credit card information itself is never within our network, are we required to undergo a PCI DSS audit?

    Requires Free Membership to View

Concerning enterprises without credit card data storage, I did a search of the PCI DSS website and the PCI standard itself, and found the first answer to your question about virtual terminal protocol in the Frequently Asked Questions section of the PCI DSS website:

Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.

And also, in Requirement 12.8, please be aware that:

12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:

12.8.1 Maintain a list of service providers.

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

12.8.4 Maintain a program to monitor service providers' PCI DSS compliance status.

The most important suggestion offered here, however, is to verify any requirements you must follow with your acquirer (i.e., bank). Be sure to collect any answers from your acquirer in writing for future audits or reviews.

This was first published in April 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: