Problem solve Get help with specific problems with your technologies, process and projects.

Does reducing data storage improve PCI credit card compliance?

Mike Chapple discusses whether reducing customer credit card data storage is better, worse or ineffective for improving PCI credit card compliance.

We're considering doing what other Websites do with payment processing by asking for a credit card number, expiration date and CVV. Is this safer for customers and/or advantageous for PCI credit card compliance requirements if we collect less data?

While it’s always advantageous to collect as little personally identifiable information (PII) as possible, this won’t change your compliance obligations. Every merchant and service provider involved in the processing of credit card transactions must comply with Payment Card Industry Data Security Standard (PCI DSS) requirements. 

Ask the Expert!

Got a vexing compliance problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

The most stringent PCI DSS requirements surround sensitive cardholder information, or the storage and use of credit card account numbers, CVV codes and track data retrieved from the magnetic strip on the back of the card (which obviously does not apply to the e-commerce transactions you describe).

Consequently, the one thing you may wish to consider in terms of improving your customers’ safety and your compliance with PCI DSS requirements is your storage of this data. If you’re able to receive the data, process the transaction, and discard the data without storing it on your systems, you’ll be able to simplify your compliance efforts. If you never store the data, you don’t need to worry about encrypting it or safeguarding the locations where sensitive credit card data is stored.

When you look at the issue from a customer safety perspective, it’s certainly true that the less data you collect and store, the better. The more complete a picture of your customers that identity thieves are able to obtain, the more damage they’ll be able to do. However, you’ll need to balance this minimalist approach with your organization’s business requirements.

This was last published in June 2012

Dig Deeper on PCI Data Security Standard

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.