If your company accepts credit card payments and manages data on cardholders, you are affected by PCI scope. PCI, sometimes known as PCI DSS, refers to Payment Card Industry Data Security Standard, which is the gold standard for credit card security. Falling under PCI scope means that you are required by the payment card industry security standard to undergo regular PCI audit. For your company to be PCI compliant, it must perform tokenization credit card processing. There is an exception to these rules, however. If the payment software you use does not handle encrypted card data, the rules do not apply.
It is possible to restructure your business in such a way as to minimize your exposure to, or even entirely avoid, PCI DSS scope, along with the associated audit costs. To do this, you need to answer a few vital questions. First, what payment types do you need to be able to manage? Do you handle card present transactions, card not present transactions, or both? Do you want to be able to track recurrent billing? What other payment options do you need? You also need to take a look your existing structure, including applications, connected front end systems, and processing solutions. With this information, you can develop a new solution for your company and discuss with a PCI auditor. You’ll need to be sure your plan addresses a variety of issues, including card storage, card flow, payment ecosystem components, processor integration, tokenization service providers, point to point encryption, migration of cardholder data, to name a few.
To find out more about PCI standards and how to avoid or minimize PCI scope, please, contact us.