alexlukin - Fotolia
My organization sells concert tickets using a web-based software system at multiple venues it doesn't own. We'd like to take our USB-connected card readers with us to the venues, but our IT provider is saying that's not possible. We were planning to use the wireless networks provided by the venues. How do we support PCI compliance standards when we sell off-site?
The Payment Card Industry Data Security Standard does not contain any restriction prohibiting the use of mobile devices or wireless networks belonging to outside providers. That said, merchants retain the burden of ensuring all of their uses of credit card information follow PCI compliance standards. I know of several organizations in situations similar to yours that have designed their operations to support mobile ticketing operations in a manner that they feel is compliant with the standard.
One possible way to handle this situation regarding PCI compliance standards is to treat each venue as you would an internet service provider and avoid putting them in contact with any cardholder information at all. Use strong encryption to protect credit card data before it leaves your system. Better yet, adopt point-to-point encryption technology that encrypts credit card information at the point of swipe in a manner that renders it inaccessible to anyone other than the transaction processor.
Of course, building out an operation that fully follows PCI compliance standards is a complex undertaking that requires detailed knowledge of a business' operational and technology environment. My advice to you is to return to your IT provider and ask it to help you design a PCI compliant approach and, if it's unwilling or unable to do so, find an alternative provider.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out how Google Cloud Platform affects merchant compliance with PCI DSS
Learn how vulnerability scanning tools can help with PCI compliance
Discover why PCI SSC pushed back the TLS encryption deadline
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading