We're considering doing what other Websites do with payment processing by asking for a credit card number, expiration date and CVV. Is this safer for customers and/or advantageous for PCI credit card compliance requirements if we collect less data?
While it’s always advantageous to collect as little personally identifiable information (PII) as possible, this won’t change your compliance obligations. Every merchant and service provider involved in the processing of credit card transactions must comply with Payment Card Industry Data Security Standard (PCI DSS) requirements.
Ask the Expert!
Got a vexing compliance problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The most stringent PCI DSS requirements surround sensitive cardholder information, or the storage and use of credit card account numbers, CVV codes and track data retrieved from the magnetic strip on the back of the card (which obviously does not apply to the e-commerce transactions you describe).
Consequently, the one thing you may wish to consider in terms of improving your customers’ safety and your compliance with PCI DSS requirements is your storage of this data. If you’re able to receive the data, process the transaction, and discard the data without storing it on your systems, you’ll be able to simplify your compliance efforts. If you never store the data, you don’t need to worry about encrypting it or safeguarding the locations where sensitive credit card data is stored.
When you look at the issue from a customer safety perspective, it’s certainly true that the less data you collect and store, the better. The more complete a picture of your customers that identity thieves are able to obtain, the more damage they’ll be able to do. However, you’ll need to balance this minimalist approach with your organization’s business requirements.
This was first published in June 2012