Problem solve Get help with specific problems with your technologies, process and projects.

Credit card data storage: Virtual terminal protocol for PCI compliance

Are merchants who use virtual terminals and payment gateways and do not store credit card data subject to PCI DSS requirements? Learn more in this expert response from Ernie Hayden.

If our organization uses a virtual terminal to process credit card transactions, and the actual credit card information itself is never within our network, are we required to undergo a PCI DSS audit?

Concerning enterprises without credit card data storage, I did a search of the PCI DSS website and the PCI standard...

itself, and found the first answer to your question about virtual terminal protocol in the Frequently Asked Questions section of the PCI DSS website:

Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.

And also, in Requirement 12.8, please be aware that:

12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:

12.8.1 Maintain a list of service providers.

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

12.8.4 Maintain a program to monitor service providers' PCI DSS compliance status.

The most important suggestion offered here, however, is to verify any requirements you must follow with your acquirer (i.e., bank). Be sure to collect any answers from your acquirer in writing for future audits or reviews.

This was last published in April 2010

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.