Friday, September 25, 2009

Purchasing, Travel, and Corporate Cards and PCI Scope - Some Closure!

I have blogged here (see here with comments, and here, and here) and elsewhere about whether “corporate cards” used for travel and purchasing should be in the “issuing” school’s own scope for PCI. In other words, if a university (or Megacorp) issues Visa or Amex cards to their staff for travel or purchasing, somebody in the school’s finance or purchasing department will have lists of the PANs. Are these PANs for the cards issued by the university in the university's PCI scope?

Some (including this QSA) feel a PAN is a PAN, and as such these cards are in the issuing school’s scope and the data should be protected per the DSS; others (equally or more qualified) believe the cards are out of scope. This topic came up again at the QSA/ASV session at the PCI Community Meeting this week, with the suggestion that it was a “brand issue” and I should check the FAQ. So…

Here is the FAQ (number 8715) and the Council’s response:

If a merchant or service provider has internal corporate credit cards used by employees for company purchases like travel or office supplies, are these corporate cards considered ‘in scope’ for PCI DSS?

PCI DSS applies to any entity that stores, processes, or transmits cardholder data. Whether entities with cardholder data on their own corporate cards need to validate compliance is determined by each payment brand individually. Depending on the marks on those corporate cards, please contact the applicable payment brands listed below for their validation requirements: american.express.data.security@aexp.com askdatasecurity@discoverfinancial.com riskmanagement@jcbati.com sdp@mastercard.com cisp@visa.com

Wow…not a lot of help there. So, I contacted each brand, and here is what I learned.

First, both Visa and MasterCard responded within hours, and Discover replied in just over a day. Kudos to each of these brands for the speedy responses! I got American Express’ reply a bit later by speaking directly to their top PCI people at the PCI meeting. I’m still waiting for JCB, but since I’ve got most of the landscape covered with these 4 brands, it’s worth sharing their responses now.

  • MasterCard won the prize for succinctness: “MasterCard considers these cards in scope.”

  • Discover replied similarly: “Per the requirements of the DISC program, which may be found on our Web site, any payment card bearing the Discover logo is considered to be within scope of the PCI DSS.”
  • Visa was the winner in the fastest response sweepstakes. They provided, however, a more nuanced response: “As stated by the PCI DSS, any entity that stores, processes, or transmits cardholder data is within scope. The corporate card data itself would not be within scope of an entity's PCI DSS compliance VALIDATION scope but should be secured in accordance with personally identifiable information restrictions. However, if the entity's corporate card information resides in the same systems or unsegmented network as their merchant payment card processing environment, the systems would be within the entity's PCI DSS compliance VALIDATION scope.” [emphasis is Visa’s, not mine]

    I translate this to mean if the corporate card data are housed in the merchant’s cardholder data environment, then and only then would the corporate card data be in scope. Otherwise, treat the data like you treat other sensitive corporate data or PII.
  • Amex’ response to me at the PCI Community Meeting was that Amex corporate cards are out of the issuing school's or company’s scope. Amex believes they should not require the company issuer (or any cardholder) to do anything special; it’s up to the issuing company.

To summarize, the answer to the question "Are corporate card data in scope for PCI?" is: it depends. Everybody agrees that you should protect the data, but not every brand is going to require it:

  • Corporate/travel/purchasing cards with the MasterCard and Discover logos are in PCI scope for the issuing school.

  • These same cards with the American Express logo are out of scope for the issuing school.

  • These same cards with the Visa logo are in scope only if the corporate card data are stored in the merchant cardholder data environment.

Do I agree with all of this? Well, first of all it doesn't really matter. But I find myself closer to the MasterCard and Discover position, and I would advise any school to protect their corporate and purchasing card databases. Ideally, you should protect them per PCI. You can get in the headlines just as easily for losing these cards to a hacker. As for any financial liability if you lose the data...I'll have to leave it up to you to check your contract.

Apologies for the long post (sorry, Dennis!), but I thought it important to share the details with all Treasury Institute followers and other interested parties. I look forward to hearing any additional comments others may have.

8 comments:

  1. First, I admit this post was my first thought on this topic, so I might be treading old ground here. By that token, I should probably shut up because I don't have a procurement card and probably am misunderstanding what they are.

    Maybe hyperbole will illustrate a point. Would my wallet be in scope for my own credit card? Technically, I am storing PAN, right?

    I know that's ridiculous, but would internal cards of your own be in scope for PCI, or should you just be aware that they need to be protected and monitored? For instance, what if they are breached. The only victim is essentially internal?

    Again, this may be a failure on my part for misunderstanding what a procurement card really is. I imagine it akin to a corporate-issued credit card like something a purchaser would be given to charge purchases again.

    ReplyDelete
  2. LonerVamp, I think your analogy is correct, however a compromise of those "internal" cards can impact the holders of the cards as well as the issuing entity.

    They should be protected with similar controls, however I can't imagine why you'd need to VALIDATE compliance to controls related to these cards to your ACQUIRING bank since the storage, processing, and transmission of these numbers do not relate to your merchant activities (unless you are using your merchant systems to manage those cards).

    Also, I can't imagine why an issuing bank would require the organization to store full PANs ... maybe the last 4 digits. Stop storing the PANs and it's out of the discussion completely.

    ReplyDelete
  3. I agree totally with the Visa position. I believe that any other interperetation would make it difficult for people to USE their procurement cards.

    ReplyDelete
  4. Walt - Do you have a link to the source documents from MC? Be helpful for me!

    Greg Miller

    ReplyDelete
  5. Greg, There is no "source document" as such. The response was relayed in an email.

    ReplyDelete
  6. Hi Walt - this issue recently came up again in conversation with a customer. Has there been any further update on this since 2009? Are the brands still interpreting things differently? Also, what do you think of LonerVamp and BMac above?

    ReplyDelete
  7. Jeff, I've not heard of anything new.

    ReplyDelete
  8. Mastercard has changed their stance according to their FAQ here:

    http://www.mastercard.com/us/company/en/docs/Frequently%20Asked%20Questions%20_March%2022%202012.pdf

    ReplyDelete