8

Do we have to be PCI compliant to store Social Security Numbers in our hosted database? We are hosting a CRM database for nonprofits in South Carolina.

Warner
  • 23,440
  • 2
  • 57
  • 69
Jamey McElveen
  • 183
  • 1
  • 1
  • 7

5 Answers5

7

No. PCI scope data is credit card numbers, which is typically referred to as the Primary Account Number. (PAN)

The definition from the glossary is as follows:

Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.

Nevertheless, if located in the United States, you will likely be subject to state and federal laws by storing the social security number and I would suggest you treat it as PCI scope data. If you are not PCI compliant, I would seek the particular laws applicable and treat it as sensitive as possible within your environment. A good idea would be to consult a lawyer.

From a professional perspective, I like to treat data like this as carefully as possible. I often consider how the public would react to my actions if it were to be unintentionally disclosed and act as responsibly as possible.

Warner
  • 23,440
  • 2
  • 57
  • 69
  • PCI DSS is very stringent and has it's own audit requirements outside of financial, operational, or other types of audits. Since PCI DSS is a private data standard and is not the result of legislation, I doubt that an average attorney will be able to answer questions any better than one who is certified to perform PCI audits. You might be able to self-certify via the PCI questionnaire if your volume is not high. – jl. Jul 20 '10 at 15:07
  • His question was about SSN, jl, not PCI. I would be able to answer any questions regarding PCI. – Warner Jul 20 '10 at 15:11
  • 3
    While SSNs and PCI aren't related, you could do worse than to start using the PCI standard as a guideline for handling SSN numbers or any sensitive data. – mtinberg Jul 20 '10 at 16:54
  • "His question was about SSN, jl, not PCI. I would be able to answer any questions regarding PCI." Was my post inaccurate? Was it offensive? – jl. Jul 20 '10 at 17:13
  • Not offensive, jl. I was simply pointing out that your response may have resulted from a misinterpretation of what I said. – Warner Jul 20 '10 at 20:19
7

The regulation surrounding Social Security Numbers themselves is different than the regulation surrounding the Payment Card Industry standards.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
1

PCI is for payment processing, if your not processing payments or storing payment information you shouldn't have to be PCI compliant from a legal stand point. If you are handing social security numbers you should be very careful.

jer.salamon
  • 449
  • 4
  • 11
  • There's no legal requirement regarding PCI compliance at all as it's not a federal or state law, that I'm aware of. Not being PCI compliant will probably affect your relationship with payment processing vendors and other financial institutions, but there are no legal requirements to be PCI compliant. Some states have enacted laws that take some of their framework from PCI, but from a strictly black and white perspective, there's no legal requirement to be PCI complaint. I'm not saying to ignore itor that it's not important, only that it's not technically illegal to not be compliant. – joeqwerty Jul 20 '10 at 15:00
  • Being comprised can result in steep financial penalties, which are law. For example if your using old encryptions on pin pads your responsible. – jer.salamon Jul 20 '10 at 15:31
1

You need to check data breech statutes for your state. SSNs definitely fall under personal identifying information, as do some of the other data you may be storing. At minimum, you need to encrypt the stored data. You also to need to pay attention to access controls. PCI-DSS is not applicable, but depending on the industry you are in, Gramm-Leach-Bliley Act may apply, as well as other federal and state laws.

Craig
  • 1,354
  • 6
  • 14
0

http://www.nelsonmullins.com/DocumentDepot/June%2025th%20Breach%20Management%20Slides.pdf

South Carolina Data Breach Survival Guide

jl.
  • 1,076
  • 8
  • 10