Do I have to be PCI DSS Compliant?

2
votes

What I am doing is developing a financial software and connect it to a third party credit card company which is pci compliant. Our company is a Canadian company. We are not pci compliant and not planning to be pci compliant. But we want to save last 4 digits of PAN to help front line staff identify.

If I ONLY save the last 4 digits of PAN,client name,expiry date and PRN, do I have to be PCI Compliant? If I have to, what about if I ONLY save the last 4 digits of PAN with PRN, do I have to be PCI Compliant?

I read the PCI DSS documentation. It only said I have to be pci compliant if I save the PAN, but didn't say if I only save the last 4 digits.

Thank you.

5
pci-dss

5 Answers

5
votes

The deciding factor on PCI-DSS applicability is whether or not you store, process or transmit the Primary Account Number (long number on the front of the card).

If you only ever have the last four digits of the number and don't come into contact with any other digits of the PAN in any other way then you do not need to meet the PCI requirements.

However if you have the full card number anywhere, even if it's just to process it, then you will need to meet the requirements of PCI.

You can check this out on page 7 of the PCI standard (version 2.0) available on the PCI website: https://www.pcisecuritystandards.org/

4
votes

If your company is storing, processing or transmitting cardholder name, expiry date, last 4 digit number you need not be compliant with PCI DSS requirement. BUT if store, process or transmit card holder data along with PAN number you have to be compliant with PCI DSS 12 requirement whereas except requirement 3.1 will not be applicable because it applies only to PAN number.

If your company give transaction to third party vendor like pay pal and India pay etc. The PCI DSS applies to payment gateway as well as the company. Because the Cardholder information transmit from company server to payment card server.

1
votes

If the user enters "any" credit card related data on "any" of your applications you have to be pci compliant regardless of what you are doing with it. Plus it is always beneficial to be pci compliant looking at its increasing popularity.

0
votes

Every website in the US that handles credit cards in some fashion has to be PCI compliant. The level of compliance will vary depending on exactly what your doing. PCI compliance does cover storing the last four digits of a credit card number and expiration date (you can do it but they don't recommend it and if you do it they recommend encrypting it).

0
votes

The best answer I could find is on Authorize.net's website:

http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Notifying-Users-Their-Credit-Card-Is-About-to-Expire-Without-PCI/ba-p/8025

As I read it, they are basically saying that you can exploit a loophole. Technically you can't store the expiration date. But you can store information that is based off the expiration date, namely, the date that you want to remind the customer to update their card.