PCID-04

Do your systems or solutions store, process, or transmit cardholder (payment/credit/debt card) data?

Explanation

This question is asking whether your systems or software solutions handle credit card, debit card, or other payment card information in any way. Specifically, it's asking about three key activities: 1. STORING: Do you save card numbers, expiration dates, CVV codes, or other card data in your databases or files? 2. PROCESSING: Do you perform operations on card data (like validating, authorizing transactions, etc.)? 3. TRANSMITTING: Do you send card data from one system to another or between parties? This question is critical in security assessments because payment card data is highly regulated by the Payment Card Industry Data Security Standard (PCI DSS). If your systems handle cardholder data, you become subject to PCI DSS compliance requirements, which include numerous security controls to protect this sensitive information. The question is asked to determine: - If PCI DSS applies to your organization - What level of PCI compliance you need to maintain - What specific security controls you need to implement - What risks exist related to payment data When answering this question, be precise and thorough about: - Exactly what card data elements you handle (full PAN, truncated numbers, etc.) - How the data flows through your systems - What security measures you have in place - Whether you're currently PCI DSS compliant If you don't handle card data directly (e.g., you use a third-party payment processor), make that clear in your response.

Guidance

Refer to PCI DSS Security Standards for supplemental guidance in this section

Example Responses

Example Response 1

Yes, our e-commerce platform stores and processes cardholder data We maintain a PCI DSS Level 1 compliance certification Our systems store encrypted card numbers (PAN) and expiration dates in our secure payment database, but we do not store CVV codes after transaction authorization All stored cardholder data is encrypted using AES-256 encryption at rest, and all transmission of this data occurs over TLS 1.2+ connections We undergo annual PCI DSS assessments by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV) Our most recent PCI DSS Attestation of Compliance (AOC) was completed on March 15, 2023, and is available upon request.

Example Response 2

No, our application does not directly store, process, or transmit cardholder data We integrate with Stripe's payment processing platform using their recommended implementation that leverages Stripe Elements This approach ensures that payment card data is collected directly by Stripe in the user's browser and never touches our servers The payment flow works by redirecting users to Stripe's secure payment page, and we only receive tokenized payment information and transaction status from Stripe after processing is complete We maintain documentation of our payment data flow and have implemented the security controls recommended by Stripe for their integrations.

Example Response 3

Partially While our main application does not store or process complete cardholder data, we do transmit card data during the initial payment setup process When a customer enters their payment information, our frontend securely transmits this data directly to our payment processor (PayPal), but the full card numbers briefly pass through our API gateway for logging purposes before being forwarded We recognize this puts us in scope for PCI DSS compliance, and we are currently working to redesign this flow to implement a direct-to-processor model that will remove our systems from the card data flow entirely In the interim, we have implemented encryption for data in transit, restricted access to logs containing this information, and are conducting quarterly vulnerability scans We expect to complete our payment flow redesign within the next 60 days.

Context

Tab: Case-Specific
Category: Payment Card Industry Data Security Standard (PCI DSS)