4

I understand PCI requirements on the storing, processing and transmitting of credit card information (PAN, expiration date, no on CVV, etc.).

However, I found nothing about receiving PAN (no expiration date, no cvv, etc.) ON document format (PDF). A good example of this is the credit card statement that the cardholder usually receive via mail or in electronic format (PDF downloaded from the bank website).

If I store these credit card statements in my computing environment, do I have to be PCI compliant? The statements will be in PDF format and only show the PAN and nothing else (no CVV, no expiration date, no magnetic stripe, etc.)

techraf
  • 9,141
  • 11
  • 44
  • 62
striders
  • 43
  • 3
  • 2
    Are they your organizations credit cards or customers of your organizations ? – Trey Blalock Jul 21 '16 at 00:04
  • The PDF version of the credit card statements are from our customers. We take these documents and served it to our clients - banks. – striders Jul 21 '16 at 15:16
  • 1
    If it has your customers credit cards then it sounds like its definitely in scope for PCI – Trey Blalock Jul 21 '16 at 15:24
  • Does PCI make a distinction on storing credit cards number in digital format (actual numbers stored in a database) and as a document (PDF, JPEG, etc)? I couldn't find this in the PCI official website. I don't even know if storing such document requires me to be a Merchant or Service Provider on Level x. – striders Jul 21 '16 at 16:29
  • 1
    No. You may also want to speak with a PCI-QSA – Trey Blalock Jul 21 '16 at 16:32
  • The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. https://www.pcicomplianceguide.org/pci-faqs-2/#2 – GhostSpeaks101 Jul 22 '16 at 10:58
  • @GhostSpeaks101 I understand that, but what if I received 10 PDF or printed credit card statement? It's a statement, not full CC info in digital format. – striders Jul 22 '16 at 14:29
  • It'd still be comprising of Name of cardholder and card number, right? If yes, I'd say it falls under PCI as you'll be storing it. However words of PCI QSA would be more accurate in terms of decision making here. – GhostSpeaks101 Jul 23 '16 at 07:04
  • @GhostSpeaks101 yeah, it does, but not even PCI 3.2 document mentioned anything about printed statement or PDF file. PCI is a yes or no kinda thing, so I've to consult a QSA – striders Jul 23 '16 at 07:10

1 Answers1

0

Yes, your company needs to be PCI compliant. It doesn't matter if your customer's credit cards are stored in that format or the other (PDF\in DB \ paper ...) as you wrote as long as you store transmit or process you are required to be PCI compliant.

regarding your question in the comment regarding "I don't even know if storing such document requires me to be a Merchant or Service Provider" than the answer is you are a merchant and you might be considered as a Service Provider for your customers PCI compliant under requirement 12.8

BokerTov
  • 539
  • 4
  • 10
  • What's the different between merchant and service provider per PCI? I see SAQ for Service Provider. If my company only store CC temporarily (deleted after a few days), not processing it nor transmitting it outside my environment, is the company a service provider? – striders Jul 24 '16 at 07:51
  • According to the PCI DSS definition to service providers, a service provider is "Business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission, and switching or transaction" data and cardholder information or both. " read more at https://www.pcisecuritystandards.org/pdfs/pci_dss_glossary_v1-1.pdf – BokerTov Jul 24 '16 at 10:42
  • I read that definition, but if you go to https://www.pcisecuritystandards.org/documents/SAQ-InstrGuidelines-v3_2.pdf?agreement=true&time=1469375987847, page 17, it does NOT define what is a service provider, other than saying "SAQ D for Service Providers applies to all service providers defined by a payment brand as being SAQ-eligible.". On page 18, the chart have 2 questions that I am interested: Service Provider --> SAQ D. Storage of ELECTRONIC cardholder data --> SAQ D. So which one I should use? SAQ-D for Merchant or SAQ D for Service Provider (it's separate from PCI Council site). – striders Jul 24 '16 at 16:04
  • 1
    1. i think of it again and i should have used the word eligible to PCI compliant instead of needs to be PCI compliant 2. Because you are not processing payments the payments brands will not address you to be PCI compliant.3. the one who should ask that are your PCI customers that as part of their assessment will have to monitor your compliance status and they will need to ask you to fill out SAQ D (that contains all of the fill PCI DSS requirements ) – BokerTov Jul 27 '16 at 07:54
  • thanks for the info. I have one customer asking us to fill out an SAQ, but it's their own version of SAQ and not the one from PCI website. This is coming from one of the largest financial institution in N.A. – striders Jul 27 '16 at 20:00
  • 1
    it is common that merchants perform a service provider survey \ costume SAQ that intended for the relevant processes and not request the SP's to do the full SAQ D – BokerTov Jul 28 '16 at 06:57