Who Are You? A, B, C or D? Check first if you're storing electronic cardholder data before you answer that question.
Written by:
Joan Herbig
The PCI Council provides plenty of guidance on how to determine which Self-Assessment Questionnaire (SAQ) you should complete. Sounds pretty simple. You know your business better than most people, if not everyone. However, if you ask your Information Technology person, they may provide you with a completely different response than what you were expecting.
Let's clarify that a bit and say that you own a specialty food business and you have a chain of five stores and a Website. The PCI Council's business qualification requirements are as follows:
SAQ Validation Type |
Description |
# of Questions (v2.0) |
A |
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced to a PCI-Compliant Service Provider |
13 |
B |
Imprint-only merchants with no electronic cardholder data storage; Standalone dial-up terminal merchants, no electronic cardholder data |
29 |
C-VT |
Merchants using only web-based virtual terminals, no electronic cardholder data storage |
51 |
C |
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage |
80 |
| D | All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete an SAQ | 288 |
You use a PCI-approved point-of-sale system in your stores. Customers swipe their cards on it and the cardholder data is sent to your processor/bank for processing and ultimately, settlement. All you receive back from the bank is a report with the first 12 digits of the credit card numbers crossed out and the last four visible. You don't store any cardholder data.
For your Website, you have it planned so that when the customer enters their credit card information, it is sent to the same processor/bank for processing and ultimately, settlement. Again, you don't store any cardholder data. You even made sure that the processor is a PCI-compliant service provider. All you receive back in that scenario is the same report.
For the store scenario, you are a "C". For the Website, you are an "A". Easy enough. You decide to complete and submit the SAQ version C. All bases are covered.
Not so fast, says the IT person. Remember the meeting we had last year when we implemented the store and Website return and exchange policy? Our VP of Customer Support decided it would be in our best interest to support our customers if we stored their credit card information for six months so we can quickly process their refunds. We've been storing that data for the past six months in a database in our computer room.
In an instant, your organization has become a "D", which is almost the equivalent of filling out a complete Level 1 Report on Compliance. If you refer to the table above, you will see that the number of compliance requirements have jumped from 80 to 288, a substantial difference in the PCI-compliance world.
The scenario above occurs frequently for businesses. Sometimes, it's unknown that the business is storing cardholder data and sometimes it's stored intentionally. Many times, the decision to store cardholder data is not communicated throughout the organization, and only a select few are aware of it taking place. The IT group usually is aware of the storage as they are the individuals who manage the settings for the systems and the encryption of the data.
In other words, you can do almost everything else right (by using the services of a PCI-compliant service provider and PA-DSS certified point-of-sale systems), but the electronic storage of cardholder data is a game-changer. If you store cardholder data electronically, you are automatically a "D" and under much stricter enforcements, requirements and costs.
The battle to store cardholder data is usually an internal one as customers generally prefer businesses to not store their data after hearing frequent horror stories about identity theft. The decision to store cardholder data usually comes from "the top"; a management decision, generally to support business operations, marketing efforts, sales or attempts to improve customer experience and support. The decision to not store this data usually comes from the IT group or other areas associated with monitoring and reducing company risk. Oftentimes, these two sides do not communicate with each other and decisions are made to retain cardholder data electronically without everyone being fully in the know.
Compliance with PCI has been a requirement for several years and so the only open question at this point in time is how to achieve it. While retaining the cardholder data electronically may improve the customer experience and ease of placing orders on your Website, is it indeed worth the additional 208 PCI requirements, all with the likely potential of increasing costs, labor and effort? Before you answer that question, check with your IT group and find out what is really happening when a customer swipes their credit card in your store or enters their information online. The response may surprise you.
Storing data is not the only criteria for an SAQ D qualification. In upcoming articles, we will be providing examples of other scenarios that can place you in the SAQ D category. If you have questions or need expert guidance before then, we stand ready to help. Please contact us at 1-800-825-3301 x 1.
