We're considering doing what other Websites do with payment processing by asking for a credit card number, expiration date and CVV. Is this safer for customers and/or advantageous for PCI credit card compliance requirements if we collect less data?
While it’s always advantageous to collect as little personally identifiable information (PII) as possible, this won’t change your compliance obligations. Every merchant and service provider involved in the processing of credit card transactions must comply with Payment Card Industry Data Security Standard (PCI DSS) requirements.
Ask the Expert!
Got a vexing compliance problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The most stringent PCI DSS requirements surround sensitive cardholder information, or the storage and use of credit card account numbers, CVV codes and track data retrieved from the magnetic strip on the back of the card (which obviously does not apply to the e-commerce transactions you describe).
Consequently, the one thing you may wish to consider in terms of improving your customers’ safety and your compliance with PCI DSS requirements is your storage of this data. If you’re able to receive the data, process the transaction, and discard the data without storing it on your systems, you’ll be able to simplify your compliance efforts. If you never store the data, you don’t need to worry about encrypting it or safeguarding the locations where sensitive credit card data is stored.
When you look at the issue from a customer safety perspective, it’s certainly true that the less data you collect and store, the better. The more complete a picture of your customers that identity thieves are able to obtain, the more damage they’ll be able to do. However, you’ll need to balance this minimalist approach with your organization’s business requirements.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.