We're considering doing what other Websites do with payment processing by asking for a credit card number, expiration
date and CVV. Is this safer for customers and/or advantageous for PCI credit card compliance requirements if we collect less data?
While it’s always advantageous to collect as little personally identifiable information (PII) as possible, this won’t change your compliance obligations. Every merchant and service provider involved in the processing of credit card transactions must comply with Payment Card Industry Data Security Standard (PCI DSS) requirements.
Ask the Expert!
Got a vexing compliance problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The most stringent PCI DSS requirements surround sensitive cardholder information, or the storage and use of credit card account numbers, CVV codes and track data retrieved from the magnetic strip on the back of the card (which obviously does not apply to the e-commerce transactions you describe).
Consequently, the one thing you may wish to consider in terms of improving your customers’ safety and your compliance with PCI DSS requirements is your storage of this data. If you’re able to receive the data, process the transaction, and discard the data without storing it on your systems, you’ll be able to simplify your compliance efforts. If you never store the data, you don’t need to worry about encrypting it or safeguarding the locations where sensitive credit card data is stored.
When you look at the issue from a customer safety perspective, it’s certainly true that the less data you collect and store, the better. The more complete a picture of your customers that identity thieves are able to obtain, the more damage they’ll be able to do. However, you’ll need to balance this minimalist approach with your organization’s business requirements.
Dig deeper on PCI Data Security Standard
Related Q&A from Mike Chapple, Enterprise Compliance
Should companies obtain U.S. security clearance to join the Enhanced Cybersecurity Services program? Mike Chapple offers his perspective.continue reading
Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.continue reading
Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.