2

Company I work for will be receiving scanned images of forms from which we will be gathering data (putting into an XML file) Credit card numbers will have been written onto the forms, but we won't be collecting that data or processing a payment.

In such a scenario, do PCI standards apply? There's no actual data file with the number, but anyone looking at the image could readily get the credit card numbers. Card holder name will be present, no security code. Not sure if expiry date will be included.

I think we fall under the definition of a service provider, and to me the SAQ-D seemed most likely to apply. The environment in question wouldn't meet all requirements in the SAQ-D.

My opinion from what I've read is that the requirements apply, but even if they didn't, why wouldn't we try to follow them? Those above me think we're fine as long as we're deleting the images on a regular basis.

I'd be grateful for any input, links, relevant sections of the PCI-DSS documents, etc. either for or against following the standard in this type of scenario.

James
  • 33
  • 5
  • 4
    Sounds more like a legal question than a programming question. – bbosak Dec 24 '11 at 04:04
  • 4
    Voted to close as off topic. Do you really want legal advice from software developers? Might as well ask an attorney about object oriented programming or inversion of control. – Adam Robinson Dec 24 '11 at 04:06
  • While I agree with you in theory, software developers certainly need to concern themselves with PCI. PA-DSS, for instance. – D.N. Dec 24 '11 at 04:13
  • @D.N.: They also need to concern themselves with proper workplace personal interaction and appropriate dress; that doesn't make the questions about interoffice dating or how to tie a windsor knot appropriate for this site. SO exists to provide a place for asking and answering technical questions related to software development. This is not such a question. – Adam Robinson Dec 24 '11 at 04:19
  • I can understand the comments about being off topic, and apologize for it. It didn't seem to me at the time to be off topic after reading through some of the other pci related questions, and I was just hoping someone with experience in this area might have been able to offer some advice. – James Dec 24 '11 at 04:24
  • @AdamRobinson Relax, I agree with you. I was just stating your metaphor didn't quite fit. Something more akin to asking advice of a doctor on seat belts would fit better. – D.N. Dec 24 '11 at 04:24

1 Answers1

5

PCI standards apply to any machine along the transmission path, whether it is stored on that machine or not. I am under the belief that the data, while not in text form, is still made available (think OCR), and thus should be treated as any other form of data.

All that aside, as far as deleting images on a regular basis, this will certainly get you in trouble. Again, the concern isn't whether it's stored or not, the concern is whether that data can be retrieved. Data can be retrieved from a system that doesn't even store the data.

As cshneid states, you'd be best by asking "qualified counsel." However, as a rule of thumb: if there is any doubt, you are not compliant.

D.N.
  • 2,160
  • 18
  • 26
  • It would be a nice trick to retrieve data from a system that doesn't store it. Perhaps you were intending to explain the difference between a secure delete (implying the system did store the data at some point) and a normal delete? –  Dec 24 '11 at 04:32
  • 1
    No, I intended to explain that a system along the transmission path that doesn't store the image still has to transmit the data. The transmission can be intercepted. – D.N. Dec 24 '11 at 04:34
  • I appreciate this answer. While I completely understand the need to ask proper legal people for proper legal advice, the first two paragraphs mention two points I've already brought up with management (Nathan's comment about securely deleting files being a third). Thank you for that. – James Dec 24 '11 at 04:45