-1

What is the best practice in terms of data locality in PCI DSS compliance world? Can I store data PCI/PII data (nope, we are not storing any of the CC#, CVV, or any magnetic stripe data) from one country in another country?

Say for example, the merchant is doing his business in Europe (say France or Germany) and the merchant server and DB is in US, will that be considered against PCI compliance?

Jimson James
  • 2,937
  • 6
  • 43
  • 78
  • 1
    If you are storing data in one country like the US, but processing the data in Europe, best practice is to follow PCI standards for both the US and the EU, as both locations have touched the data, both sets of regulations are in play. – john_h Mar 29 '18 at 19:44

2 Answers2

1

PCI doesn't mandate to keep the data locally. They just want you to ensure that the data, wherever stored, is according to PCI DSS regulations. Moving or storing the data outside of the country is generally regulated by the Govt. of that particular country. Like in the case of India, entities were storing the data outside of India but after the RBI(Reserve Bank of India, India's central banking institution, which controls the monetary policy of the Indian currency) regulation was passed to migrate the data (transaction data and its metadata) back to India, all the companies had to do so and provide a declaration.

Jimson James
  • 2,937
  • 6
  • 43
  • 78
Gourav Kumar
  • 11
  • 3
0

Best practice is to use a hsm locally. This tokenize all sensitive datafields into hashes. Then the data can be distributed. All reverse lookups have to be authenticated and logged locally with the hsm.

MortenB
  • 2,749
  • 1
  • 31
  • 35
  • That is applicable if I do have a hardware in the remote country (say France), but what if I'm like an EBay, selling products, and my server is located in US, but customers are from France or Germany and all purchases happens through my website only? – Jimson James Apr 02 '18 at 17:45