The Corporate Travel Card PCI Challenge
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
When I played high school football, the coach once said to me, “Son, there are three ways you can do things: the right way; the wrong way; and the coach’s way. Which way are you going to do things?” To which I replied, “the coach’s way, sir.” PCI can sometimes get like that when the card brands can’t agree among themselves as to whether something is in-scope or out-of-scope.
Most companies issue their employee road warriors with corporate travel cards. Companies also issue purchasing or procurement cards that their staff use to buy everything from office supplies to store fixtures. Most of these cards are American Express, MasterCard or Visa branded. Companies store the PANs in databases that are accessible to travelers and others who use the data for expense reporting and tracking. In my experience, the PANs get printed on hardcopy reports. The question for IT execs is, do you need to include these cards in your (merchant) PCI scope? The surprise answer is that it depends on where you store the cardholder data and, interestingly, on which brand of card you choose.
There is a division of labor in the world of PCI. The PCI Council, among other duties, manages and promotes PCI DSS. The five card brands, on the other hand, enforce the DSS each according to its own lights. Nowhere is this separation of duties–and difference in interpretation and presumably enforcement–clearer than in the world of purchasing and procurement cards.
At the PCI Community Meeting, I asked the Technical Working Group whether a company’s travel and purchasing cards were in-scope, and I was referred to the Council’s FAQ on the subject, which says: PCI DSS applies to any entity that stores, processes or transmits cardholder data. Whether entities with cardholder data on their own corporate cards need to validate compliance is determined by each payment brand individually. Depending on the marks on those corporate cards, please contact the applicable payment brands.
This description is not terribly helpful, but fair enough. The Council (division of labor) sets the rules, and the brands decide how to enforce them. So I contacted each of the brands to see whether it views these cards to be in-scope. Both Visa and MasterCard got back to me within hours, and Discover replied in a day. I got American Express’ answer a by speaking directly to its representatives while at the PCI Community Meeting.
MasterCard won my personal prize for succinctness: “MasterCard considers these cards in-scope.” Discover replied similarly: “Per the requirements of the DISC program, which may be found on our Web site, any payment card bearing the Discover logo is considered to be within scope of the PCI DSS.”
Therefore, the answer seemed pretty straightforward: If your company issues MasterCard or Discover branded cards to your employees for travel or purchasing, the cardholder data is in-scope for your PCI assessment.
Visa, however, provided a more nuanced response: “As stated by the PCI DSS, any entity that stores, processes or transmits cardholder data are within scope. The corporate card data itself would not be within scope of an entity’s PCI DSS compliance VALIDATION scope but should be secured in accordance with personally identifiable information restrictions. However, if the entity’s corporate card information resides in the same systems or unsegmented network as their merchant payment card processing environment, the systems would be within the entity’s PCI DSS compliance validation scope” We should note that the emphasis is Visa’s.
I translate this response to mean that if your Visa branded corporate and purchasing card data is housed somewhere in your merchant cardholder data environment, then and only then would the corporate card data be in-scope. Otherwise, if you issue Visa branded cards for travel or purchasing, then they are out of your PCI scope.
-Marc
December 10th, 2009 at 2:39 pm
Thank you for the thoughtful article. Only after reading it do I realize that the question ultimately lies in who has the liability for damages caused to an information security breach of a ‘corporate card’ program?
If the “cardmember” rules which apply to a corporate card lay all of the liability with the business on whose behalf the cards are issued, then the card brands have little standing to impose PCI DSS, as the card brands have little to lose.
What are the actual rules?
Does the cost of fraudulent use of a particular business’ corporate cards fall only on that business? If so then PCI DSS should not apply.
December 10th, 2009 at 11:03 pm
Thanks for the comment, Jay, and you make a good point about where the risk lies.
I think the risk in a compromise depends on the card type. For example, corporate/travel cards are issued in the cardholder’s name (via the company), and they would be governed by Regulation W which also covers all credit cards. That is, the liability would be $50 to the cardholder. I am not, however, an expert on the nuances of these particular cards or the specific operating regulations governing them. Maybe companies should check their contracts to see liability provisions?
As for purchasing cards which are issued in the company’s name, I can only speculate that the liability in a breach would depend on the contract between the company and the issuer for liability provisions.
In any event, you make a good point that PCI DSS should not apply. However, I keep coming back to my old high school football coach: we can do things the right way, the wrong way, or the coach’s (i.e., the brands’) way. From my point of view, I guess I’ll keep doing things the coach’s way.