The Corporate Travel Card PCI Challenge

Written by Walter Conway
December 8th, 2009

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

When I played high school football, the coach once said to me, “Son, there are three ways you can do things: the right way; the wrong way; and the coach’s way. Which way are you going to do things?” To which I replied, “the coach’s way, sir.” PCI can sometimes get like that when the card brands can’t agree among themselves as to whether something is in-scope or out-of-scope.

Most companies issue their employee road warriors with corporate travel cards. Companies also issue purchasing or procurement cards that their staff use to buy everything from office supplies to store fixtures. Most of these cards are American Express, MasterCard or Visa branded. Companies store the PANs in databases that are accessible to travelers and others who use the data for expense reporting and tracking. In my experience, the PANs get printed on hardcopy reports. The question for IT execs is, do you need to include these cards in your (merchant) PCI scope? The surprise answer is that it depends on where you store the cardholder data and, interestingly, on which brand of card you choose.

There is a division of labor in the world of PCI. The PCI Council, among other duties, manages and promotes PCI DSS. The five card brands, on the other hand, enforce the DSS each according to its own lights. Nowhere is this separation of duties–and difference in interpretation and presumably enforcement–clearer than in the world of purchasing and procurement cards.

At the PCI Community Meeting, I asked the Technical Working Group whether a company’s travel and purchasing cards were in-scope, and I was referred to the Council’s FAQ on the subject, which says: PCI DSS applies to any entity that stores, processes or transmits cardholder data. Whether entities with cardholder data on their own corporate cards need to validate compliance is determined by each payment brand individually. Depending on the marks on those corporate cards, please contact the applicable payment brands.

This description is not terribly helpful, but fair enough. The Council (division of labor) sets the rules, and the brands decide how to enforce them. So I contacted each of the brands to see whether it views these cards to be in-scope. Both Visa and MasterCard got back to me within hours, and Discover replied in a day. I got American Express’ answer a by speaking directly to its representatives while at the PCI Community Meeting.

MasterCard won my personal prize for succinctness: “MasterCard considers these cards in-scope.” Discover replied similarly: “Per the requirements of the DISC program, which may be found on our Web site, any payment card bearing the Discover logo is considered to be within scope of the PCI DSS.”

Therefore, the answer seemed pretty straightforward: If your company issues MasterCard or Discover branded cards to your employees for travel or purchasing, the cardholder data is in-scope for your PCI assessment.

Visa, however, provided a more nuanced response: “As stated by the PCI DSS, any entity that stores, processes or transmits cardholder data are within scope. The corporate card data itself would not be within scope of an entity’s PCI DSS compliance VALIDATION scope but should be secured in accordance with personally identifiable information restrictions. However, if the entity’s corporate card information resides in the same systems or unsegmented network as their merchant payment card processing environment, the systems would be within the entity’s PCI DSS compliance validation scope” We should note that the emphasis is Visa’s.

I translate this response to mean that if your Visa branded corporate and purchasing card data is housed somewhere in your merchant cardholder data environment, then and only then would the corporate card data be in-scope. Otherwise, if you issue Visa branded cards for travel or purchasing, then they are out of your PCI scope.


2 Comments | Read The Corporate Travel Card PCI Challenge

  1. Jay Libove, CISSP, CIPP Says:

    Thank you for the thoughtful article. Only after reading it do I realize that the question ultimately lies in who has the liability for damages caused to an information security breach of a ‘corporate card’ program?

    If the “cardmember” rules which apply to a corporate card lay all of the liability with the business on whose behalf the cards are issued, then the card brands have little standing to impose PCI DSS, as the card brands have little to lose.

    What are the actual rules?
    Does the cost of fraudulent use of a particular business’ corporate cards fall only on that business? If so then PCI DSS should not apply.

  2. Walt Conway Says:

    Thanks for the comment, Jay, and you make a good point about where the risk lies.

    I think the risk in a compromise depends on the card type. For example, corporate/travel cards are issued in the cardholder’s name (via the company), and they would be governed by Regulation W which also covers all credit cards. That is, the liability would be $50 to the cardholder. I am not, however, an expert on the nuances of these particular cards or the specific operating regulations governing them. Maybe companies should check their contracts to see liability provisions?

    As for purchasing cards which are issued in the company’s name, I can only speculate that the liability in a breach would depend on the contract between the company and the issuer for liability provisions.

    In any event, you make a good point that PCI DSS should not apply. However, I keep coming back to my old high school football coach: we can do things the right way, the wrong way, or the coach’s (i.e., the brands’) way. From my point of view, I guess I’ll keep doing things the coach’s way.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.