My organization has a client that currently stores credit card details with us, but we are going to transition...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
them to storing just tokens instead and letting the credit card service handle the personal card information.From a PCI DSS compliance perspective, what is the difference between passing credit card information through our system and redirecting the customer to another system for input values?
Ask the Expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The news may be quite good for your organization. Tokenization is the process of replacing a credit card number with a replacement value that is unrelated to the card number itself. Properly implemented tokenization systems make it virtually impossible to reverse-engineer the tokenization process and retrieve the original credit card number.
In this case, your client is, and will always be, subject to PCI DSS merchant requirements under the terms of its contract with its bank. The client may, however, take steps to reduce its compliance burden by limiting the amount of card information that it handles and the scope of the systems involved in those transactions. If the organization is able to successfully outsource credit card processing and never handle cardholder information, its compliance burden is reduced to a minimum set of practices to ensure that the appropriate policy and administrative controls are in place, as outlined in Self-Assessment Questionnaire A.
Your organization, on the other hand, is not considered a merchant because it doesn't accept credit cards on its own behalf. Up until now, you were a service provider under PCI DSS requirements because you stored credit card information on behalf of a client, the merchant. The applicable language in PCI DSS says that merchants may use service providers to "store, process or transmit cardholder data on their behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers." Cardholder data is specifically defined as credit card numbers, cardholder names, expiration dates and service codes.
If the client is no longer using your systems to store, process or transmit cardholder information, which would be the case if tokenization is used, your organization is probably no longer considered a service provider. If that is the case, you have no obligations under the PCI DSS service provider requirements.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
It's hard to tell if a company is a HIPAA business associate, but a closer look at HHS documents helps. Expert Mike Chapple discusses a specific case...continue reading
There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple ...continue reading
Medical device companies are part of the health industry, but does that make them a HIPAA covered entity or business associate? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.