Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Do PCI compliance standards matter when merchants sell off-site?

Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations can do this.

My organization sells concert tickets using a web-based software system at multiple venues it doesn't own. We'd...

like to take our USB-connected card readers with us to the venues, but our IT provider is saying that's not possible. We were planning to use the wireless networks provided by the venues. How do we support PCI compliance standards when we sell off-site?

The Payment Card Industry Data Security Standard does not contain any restriction prohibiting the use of mobile devices or wireless networks belonging to outside providers. That said, merchants retain the burden of ensuring all of their uses of credit card information follow PCI compliance standards. I know of several organizations in situations similar to yours that have designed their operations to support mobile ticketing operations in a manner that they feel is compliant with the standard.

One possible way to handle this situation regarding PCI compliance standards is to treat each venue as you would an internet service provider and avoid putting them in contact with any cardholder information at all. Use strong encryption to protect credit card data before it leaves your system. Better yet, adopt point-to-point encryption technology that encrypts credit card information at the point of swipe in a manner that renders it inaccessible to anyone other than the transaction processor.

Of course, building out an operation that fully follows PCI compliance standards is a complex undertaking that requires detailed knowledge of a business' operational and technology environment. My advice to you is to return to your IT provider and ask it to help you design a PCI compliant approach and, if it's unwilling or unable to do so, find an alternative provider.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out how Google Cloud Platform affects merchant compliance with PCI DSS

Learn how vulnerability scanning tools can help with PCI compliance

Discover why PCI SSC pushed back the TLS encryption deadline

This was last published in August 2016

Dig Deeper on PCI Data Security Standard

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close