alexlukin - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Do PCI compliance standards matter when merchants sell off-site?

Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations can do this.

My organization sells concert tickets using a web-based software system at multiple venues it doesn't own. We'd like to take our USB-connected card readers with us to the venues, but our IT provider is saying that's not possible. We were planning to use the wireless networks provided by the venues. How do we support PCI compliance standards when we sell off-site?

The Payment Card Industry Data Security Standard does not contain any restriction prohibiting the use of mobile devices or wireless networks belonging to outside providers. That said, merchants retain the burden of ensuring all of their uses of credit card information follow PCI compliance standards. I know of several organizations in situations similar to yours that have designed their operations to support mobile ticketing operations in a manner that they feel is compliant with the standard.

One possible way to handle this situation regarding PCI compliance standards is to treat each venue as you would an internet service provider and avoid putting them in contact with any cardholder information at all. Use strong encryption to protect credit card data before it leaves your system. Better yet, adopt point-to-point encryption technology that encrypts credit card information at the point of swipe in a manner that renders it inaccessible to anyone other than the transaction processor.

Of course, building out an operation that fully follows PCI compliance standards is a complex undertaking that requires detailed knowledge of a business' operational and technology environment. My advice to you is to return to your IT provider and ask it to help you design a PCI compliant approach and, if it's unwilling or unable to do so, find an alternative provider.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out how Google Cloud Platform affects merchant compliance with PCI DSS

Learn how vulnerability scanning tools can help with PCI compliance

Discover why PCI SSC pushed back the TLS encryption deadline

This was last published in August 2016

Dig Deeper on PCI Data Security Standard