Home > pci dss > Cardholder data segmentation for PCI compliance (3.2)

Cardholder data segmentation for PCI compliance (3.2)

December 7Hits:3

We are currently collecting card holder data in a segmented way. Our system is used by call center agants which I will refer to as channel B

Over channel A (mobile carrier) we collect the first 8 digits of the credit card followed by the cvv. Now we are not in control of logging over this channel and they might log this in clear text.

Over channel B, agent collects the rest of PAN and expiry date.

We then reconstruct it to switch.

My Question is this, point 3.2 of PCI compliancy states you are not allowed to store cvv, but does this apply with segmented PAN? My argument is that you cant do anything with CVV without the full pan.


Here are the basic do's and dont's for PCI-DSS: Cardholder data segmentation for PCI compliance (3.2)

Regardless of segmentation you are not allowed to store the CVV data. The effectiveness of this code is limited to the ability to keep it out of the hands of criminals, which is why it is prohibited by PCI Standards from being stored. For merchants who charge customers on a recurring basis, the CVV code can be used with the initial transaction but cannot be stored for future transactions.

Now you have an argument, but consider there is a breach in your company and the CVV numbers are obtained and used together with card numbers collected in a breach from company B, then guess who will be held accountable as they did not adhere to the PCI-DSS standard.

The rules for PCI-DSS are not only there to give you guidance on how to store information but also serve as a way of off-loading risk from the card acquirers to the merchants. Maybe you might think that it's not fair, but in case of PCI-DSS: "The rules are the rules". The only way you would be able to avoid this risk is by having a QSA sign off on your implementation and explicitly have your architecture where you store the CVV as part of the audit report (to be fair I highly doubt any QSA will sign off on that).

My understanding of it is that it's an absolute - you are not allowed to store the CVV number, whether you have stored the rest of the card number, none of the card number, part of the card number, or an encrypted card number.

PCI doesn't tend to work on what you can do with things, merely preventing things that have high potential to cause issues.

1.if you have the first 8 digits it is considered as PAN 2.the requirement is not to store it after authorization meaning if you store, authorize and delet its ok

Related Articles

  • Cardholder data segmentation for PCI compliance (3.2)

    Cardholder data segmentation for PCI compliance (3.2)December 7

    We are currently collecting card holder data in a segmented way. Our system is used by call center agants which I will refer to as channel B Over channel A (mobile carrier) we collect the first 8 digits of the credit card followed by the cvv. Now we

  • Can we print cardholder data under the PCI DSS Compliance framework and stay compliant?September 14

    I have a question regarding PCI compliance. There seems to be a valid business need in our company to keep some card holder data, for unsuccessful transaction. An example would be a customer makes a hotel booking but the payment fails then a support

  • What is "cardholder data" in PCI-DSS SAQ A context?October 12

    The PCI-DSS SAQ-A questionnaire mentions on page iii that SAQ A merchants confirm that, for this payment channel: (...) Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically. The

  • PCI compliance if not storing or transmitting credit card dataSeptember 16

    I have a networked product that we install on customer networks. The device is does not pass any of the CC data, but only sits on the same network (think Nest or Dropcam). The customer networks sometimes include a POS device. We never receive, proces

  • What type of PCI Compliance do I need if I don't hold any card dataMarch 20

    I am working with a company that is "PCI Compliant" and in order for them to give me any of their data (customer name, email) they ask that I be "PCI Compliant" even though this data is not credit card related. Very new to PCI but in r

  • What level of PCI Compliance do I need to adhere to if I do not store, but transmit data?November 27

    I'm doing a bit of research on my level of PCI compliance, and I'm having a difficult time grasping where I'm supposed to be. I have a web service that has recurring billing. The site is created using PHP and Drupal. I accept and transmit credit card

  • PCI Compliance customer data being made available to another system?September 30

    Not completely au fait with PCI compliance, however we have our server checked each month by our host to check it is PCI compliant, because we have to keep it PCI Compliant for a specific customer/service that we have running on it. We have another s

  • PCI - prohibiting direct connections to the Cardholder Data EnvironmentOctober 29

    In PCI 1.3.3 it states: Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment? A Cardholder Data Environment (CDE) encompasses any device or server that stores or transfers cardhold

  • What fields need to be included when configuring IIS web logging according to PCI compliance regulations?February 8

    From what little I know about PCI compliance I need to be logging all web site activity and keeping said logs online for at least 3 months. What I have not been able to get a straight answer on, however, is what fields or properties must be included

  • Off-site Cardholder Data StorageFebruary 16

    Is there a service or site out there that will store cardholder data for me? I don't need any kind of transaction processing or recurring billing... I just need somewhere that I can store data on until someone in my company is able to look at it. The

  • PCI Compliance guidanceJanuary 24

    I am in the middle of setting up an ecommerce solution on a commercial website. My system will store card number in the form of : xxxx-xxxx-xxxx-4000 (just the last 4 digits) and XXX (nothing) for the CVV code. The full details are sent to an externa

  • PCI Compliance network scopeJuly 18

    I was wondering if anyone could clarify the scope of PCI compliance with regard to multiple networks. At present, there's one PCI compliant network to which another network connects via VPN. The PCI compliant network will eventually store customer da

  • A bit confused about PCI complianceDecember 7

    I have a client that wants me to build her a simple e-commerce site for her small quilt store. I'm going to use Stripe for the credit card handling. The only info I'm going to keep on my system is the user's name. Everything else will simply be funne

  • Self Tests for cPanel Server PCI ComplianceMay 2

    (Edited & added more information at the bottom of this question) I've been tasked with "testing" a client's Linux web servers, running cPanel (which they own and mostly manage, until they come to me from time to time for help) for PCI Compli

  • Would using Websockets cause PCI compliance failure?June 7

    Would utilizing WebSockets cause an issue with obtaining or maintaining PCI compliance? --------------Solutions------------- Not in and of itself; however, like any network connection, it is subject to PCI DSS rules such as the following: 1.1.5.a Ver

  • PCI compliance simple questionsJuly 11

    For now I read PCI compliance document and I don't understand any things. I have a program, which takes sensitive and cardholder data as input (some of them are in encrypted form) and then returned back (some of them are in encrypted form). I have 2

  • Does server RAM count as storage for PCI Compliance?January 31

    We are an eCommerce website. I'm working on our PCI compliance at the moment, and I'm trying, if at all possible, to argue that our organisation falls under SAQ A rather than D. We do not sensitive card details in a database, physical media etc etc.

  • Using a Public-Key-Encryption browser side to avoid PCI complianceAugust 1

    We're developing a web application in which certain not logged users (clients) need to send their credit card details to other users (merchants) - which, we'll assume, are PCI compliant. We are looking into getting PCI compliance, but the process wil

  • PCI compliance and external resources http/httpsAugust 6

    Firstly, if a site is PCI compliant, and new references to a 3rd-party file (e.g. image, Javascript, CSS, etc-) via http:// instead of https:// are added, does it violate PCI compliance? Secondly, would adding a reference to a third party js library

  • Handling unencrypted HTTP data for a PCI compliant system - in scope for PCI DSS v3 but not v2?September 9

    We currently have a custom, cloud based application that can analyse then route HTTP and HTTPS traffic through to a domain. So if a client wants to use our service, they re-point their DNS to our application's IP address and our application will anal

Copyright (C) 2018 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.619 s.