0

The organization I work for hold PCI-DSS compliance as merchants (we fill in SAQ-D). At the same time, due to document/payment verification processes, we request from our customers pictures of their credit/debit cards - of course with the appropriate digits hidden.

Now we want to outsource this functionality to another company which will only be responsible for the document verification and will send back to us the picture of the card and the data on the card - again the ones that can be viewed according to PCI (ocr recognition):

  • Expiration/Issuing Date
  • First six PAN number digits
  • Last 4 PAN number digits
  • Cardholder's name

We have signed a DPA with them and agreed on that in case they receive an unmasked card, they will immidiatelly reject it and inform us so we can get in touch with the customer inform accordingly. All this communication will be done over an encrypted communication channel

They are not a payment service provider, they will just provide a mechanism for documents verification (one of these documents are masked credit/debit cards).

So my question is, can we do that according to the PCI?

Improve this question
2
  • Are they an approved Service Provider, found on Visa's splisting?
    – gowenfawr
    Commented Apr 12, 2019 at 20:56
  • No, they are not. They are not a payment service provider, they will just provide a mechanism for documents verification (one of these documents are masked credit/debit cards ). What do you think?
    – elli
    Commented Apr 13, 2019 at 13:23

1 Answer 1

Reset to default
1

We are deep into IANAQSA territory here

So my question is, can we do that according to the PCI?

That might be contrary to PCI DSS §12.8 as incorporated into SAQ D by Part 2f. (Whew - say that five times fast).

Part 2f is a list of your Third-Party Service Providers, and states:

Note: Requirement 12.8 applies to all entities in this list.

§12.8 is all about the diligence you have to do around Service Providers, and §12.8.4 states:

Is a program maintained to monitor service providers' PCI DSS compliance status at least annually?

Now, as you state:

They are not a payment service provider

They would be likely be out of compliance with §12.8. Especially where your relationship with them explicitly describes procedures for handling accidental PAN, I don't see how you could not treat this role as one for an approved Service Provider.

Now, perhaps a QSA would find that a permissible exception, because it's dealing with exception cases and the data is intended to be masked. The SAQ doesn't even have a checkbox for "Yes, I use a third-party service provider, but they fail §12.8," so I don't see how you'd explore this with your Processor if you're going the SAQ route.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .