Misconceptions on PCI DSS applicability

In the last few weeks, a few people have told me that PCI DSS does not apply to them since they do not store any cardholder data. There has been so much that has been done to educate merchants and service providers about PCI DSS over the last few years and people still do not seem to get it.

The PCI DSS standards are quite clear in who needs to comply with PCI DSS.

PCI DSS applies wherever account data is stored, processed or transmitted. Account Data consists of Cardholder Data plus Sensitive Authentication Data, as follows:

Cardholder Data includes: Primary Account Number (PAN), Cardholder Name, Expiration Date, Service Code

Sensitive Authentication Data includes: Full magnetic stripe data or equivalent on a chip, CAV2/CVC2/CVV2/CID,PINs/PIN blocks

The primary account number is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply.

It is important to understand that storage of the data is not the only criterion. Transmission is also included. This means that if the data flows through your network, you will need to comply with PCI DSS requirements unless the data is encrypted before it enters your network and stays encrypted until it leaves your network and you do not have any means to decrypt the data.

One of the most common scenarios is that the data is sent by a client over SSL, gets decrypted on an entity’s server, then re-encrypted and sent to, say a processor. A lot of people in the entity’s place will say that since they do not actually store the do not need to be compliant. In this case, the since the data is being decrypted on the entity’s server, the entity needs to be PCI compliant.

On the other hand, if the Pin Entry Device (PED) encrypts the card data at the swipe and send it through the merchant’s network to a 3rd party where it is decrypted, then the merchant does not need to be PCI compliant. This assumes that the merchant does not have the decryption keys at all.

Another important thing to remember is that PCI DSS will apply irrespective of how many transactions you process. The number of transactions defines the level at which you will be assessed. Even then, the acquirers (or the financial institutions) can demand that a level 2-4 merchant (takes payments for themselves) or service provider (takes payments on behalf of others) be assessed as a level 1 merchant or service provider.