Thursday, September 3, 2009

Procurement Cards Can Be Breached, Too

The University of Vermont reported that up to 240 university-funded procurement cards appear to have been compromised/breached. I don't know all the details, but it gives me the opportunity to raise two important points.

The first is that your procurement, purchasing, travel, whatever cards are payment cards. They have PANs. They can be compromised and when that happens many of these cards with their high limits are pretty attractive to the bad guys. AND, they are in your PCI scope. Nothing in PCI talks about merchants only: PCI applies if you store, process, or transmit payment card data. Many schools have databases sitting in their Procurement or Treasury departments and trust me...if I do your PCI assessment, they will be included in your scope.

The second observation is that reportedly, the university found out when their bank called them. Congratulations to the bank. And another example of "you're the last to know."

I am thinking of the old television announcements that used to come on late in the evening: "It's 10 o'clock; do you know where your children are?" I now want to re-phrase that to: "It's time to be PCI compliant; do you know where all your carholder data are?"

Give it a thought.


  1. While I agree with you that security procurement cards should not be overlooked, I disagree with you that they are in scope for assessment. The bank that issues our procurement cards is not the same bank that issues our merchant numbers. Since the QSA report goes to the aquiring bank; they have no business knowing anything about the procurement cards issued to me by the competing bank. Also, if you look at the PCI Glossary a 'Cardholder' is defined as a 'customer'.

    You're making an assumption that an organization that has procurement cards is also a merchant. What about an organization that has procurement cards but is not a merchant? Do they need to be PCI DSS compliant? The answer is no, because the risk is theirs alone.

  2. Thanks for the comment. I am saying that purchasing/procurement/travel cards are payment cards and the associated PANs and other cardholder data should be protected per PCI. I think reading your comment, we both agree on that. A difference you point out is where do you report it? Good point, especially in that the P-card issuer is unlikely to be your acquirer (that is, if you even have an acquirer as you also point out).

    Maybe you don't report it to anyone or you include it in your scope if you are a merchant.

    But let's get back to a key objective of PCI: keeping you and your school out of the headlines. Looked at that way, protecting P-card data the same way you protect other card data (per PCI) makes good sense, regardless of whether you report it to yourself or your bank.

  3. how about a compnay that is not a merchant at all. But have 1000s of CC PANs stored in the P-CARD application.
    Should they go for PCI complaince?

  4. Any company which stores PANs should protect the confidentiality of that information in a manner consistent with PCI DSS; it doesn't matter if they are a PCI entity in the authorization-settlement stream or not. This means that company should go through the process of assessing the scope of processes, roles, information systems, networks, and facilities which store, process and transmit PANs. Then they should evaluate the in-place controls relative to PCI DSS requirements and remediate any identified gaps. They are not obligated to validate and report their compliance status (i.e. submit either a SAQ or AOC) to an acquiring institution as a result of this project.

    As Gary mentioned above, it is important to apply controls in a manner consistent with PCI DSS but not necessary to report that compliance status to an acquiring institution.

    These internal P-card financial processes can be considered as cardholder related processes. For example, a procurement office that stores PANs for reconciliation purposes with internal cost centres are operating under cardholder agreement terms with the issuing bank and brand of card associated with the P-cards, In the case of a breach, the liability should be equivalent to that levied against a card holder for card data fraud. I say "should" because it depends greatly upon the terms of the contract signed between the company and the issuing institution. The greatest risk to the company is reputational; the name of the institution is tarnished and trust in that institution is eroded. Applying proper controls to cardholder information entrusted to an institution is a form of mitigating reputational risk, and less so financial risk.