Q

Credit card data storage: Virtual terminal protocol for PCI compliance

Are merchants who use virtual terminals and payment gateways and do not store credit card data subject to PCI DSS requirements? Learn more in this expert response from Ernie Hayden.

If our organization uses a virtual terminal to process credit card transactions, and the actual credit card information itself is never within our network, are we required to undergo a PCI DSS audit?

Concerning enterprises without credit card data storage, I did a search of the PCI DSS website and the PCI standard itself, and found the first answer to your question about virtual terminal protocol in the Frequently Asked Questions section of the PCI DSS website:

Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.

And also, in Requirement 12.8, please be aware that:

12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:

12.8.1 Maintain a list of service providers.

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

12.8.4 Maintain a program to monitor service providers' PCI DSS compliance status.

The most important suggestion offered here, however, is to verify any requirements you must follow with your acquirer (i.e., bank). Be sure to collect any answers from your acquirer in writing for future audits or reviews.

This was first published in April 2010

Dig deeper on PCI Data Security Standard

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close