5

We have a banking application that allows you to pay your bills (using your savings/checking account) -- including your credit card bills. However our system was set up such that you enter the credit card number that you will be paying the bill for.

Is PCI-DSS compliance required for this system even if your payment sources do not include credit cards?

jokerpablo1
  • 53
  • 2

4 Answers4

4

The requirement to comply with PCI-DSS is contractual, typically in the agreement between a merchant who wants to accept card payments and their acquiring bank, or between a merchant and a provider of payment services. If you haven't signed an agreement with anyone agreeing to maintain PCI compliance, you have no requirement to abide by it.

bobince
  • 12,494
  • 1
  • 26
  • 42
  • Thanks. But actually it's not our system -- it's a system we developed for our client. Their IT security is saying we must be PCI-DSS compliant. Can they claim such? – jokerpablo1 Oct 09 '14 at 09:39
3

Caveat: IANAQSA, and this is more guesswork than usual.

Using the logic I used in this answer, the answer would seem to be no, as you're not "involved in payment card processing".

However, in your comment to @bobince's answer you state that your client "is saying we must be PCI-DSS compliant. Can they claim such?" Well, if they're subject to PCI DSS, then yes. It's in line with (v3) 12.8.2:

Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

and 12.8.4:

Maintain a program to monitor service providers’ PCI DSS compliance status at least annually

Now, it sounds like you're an application provider rather than a service provider. And even though you're not a "payment application" per se, this guidance probably applies:

PCI DSS may apply to payment application vendors if the vendor stores, processes, or transmits cardholder data, or has access to their customers’ cardholder data (for example, in the role of a service provider).

There is some precedent saying, essentially: You don't have to maintain DSS compliance. But if you don't do so, then the burden of proving the compliance of the app falls upon your client. For that reason, clients often demand that application providers maintain DSS compliance, usually by choosing not to do business with providers that won't.

Community
  • 1
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
0

The aim of PCI DSS (Payment Card Industry Data Security Standard) is to prevent against credit card fraud via its exposure. Since you said that:

...our system was set up such that you enter the credit card number that you will be paying the bill for.

For sure if your clients need to enter their credi card numbers, this increases the exposure to fraud via lot of classical techniques (even if they are quiet hard to be performed by the layman).

  • Right, but typically PCI-DSS is discussed in systems that uses credit card (or CC numbers, etc) as a payment source. In this case, the credit card number was used only as a reference number (to indicate the credit card you're paying). So is PCI-DSS still applicable or was my assumption wrong? – jokerpablo1 Oct 09 '14 at 09:43
  • @jokerpablo1 Of course it is still applicable since you are referring to it in a way or an other to use it. –  Oct 09 '14 at 10:46
-1

You didn't say whether or not you store the credit card # after the customer keyed it in. PCI DSS applies only if you store, process, and/or transmit cardholder data. Here's a link to the PCI Council's website and here's a whole section on PCI quick reference.

Tommy
  • 1
  • 1