Do PCI requirements apply if you have a card number on an image but don't actually collect the data? [closed]
https://stackoverflow.com/questions/8622585
-
28-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Company I work for will be receiving scanned images of forms from which we will be gathering data (putting into an XML file) Credit card numbers will have been written onto the forms, but we won't be collecting that data or processing a payment.
In such a scenario, do PCI standards apply? There's no actual data file with the number, but anyone looking at the image could readily get the credit card numbers. Card holder name will be present, no security code. Not sure if expiry date will be included.
I think we fall under the definition of a service provider, and to me the SAQ-D seemed most likely to apply. The environment in question wouldn't meet all requirements in the SAQ-D.
My opinion from what I've read is that the requirements apply, but even if they didn't, why wouldn't we try to follow them? Those above me think we're fine as long as we're deleting the images on a regular basis.
I'd be grateful for any input, links, relevant sections of the PCI-DSS documents, etc. either for or against following the standard in this type of scenario.
La solution
PCI standards apply to any machine along the transmission path, whether it is stored on that machine or not. I am under the belief that the data, while not in text form, is still made available (think OCR), and thus should be treated as any other form of data.
All that aside, as far as deleting images on a regular basis, this will certainly get you in trouble. Again, the concern isn't whether it's stored or not, the concern is whether that data can be retrieved. Data can be retrieved from a system that doesn't even store the data.
As cshneid states, you'd be best by asking "qualified counsel." However, as a rule of thumb: if there is any doubt, you are not compliant.
