StorefrontBacktalk

This is page 2 of:

The Corporate Travel Card PCI Challenge

December 8th, 2009

American Express’ response completed the continuum of answers: Amex corporate cards are always out-of-scope. Amex believes it should not require the company issuer to do anything special; any move to protect the cardholder data is up to the company.

So there we have it. If your company issues a travel or purchasing card with the MasterCard and Discover logos, those PANs are in your PCI scope. But these same types of cards carrying the American Express logo are out of scope for the issuing company. And if the cards have the Visa logo, they are only in-scope if the corporate cardholder data is stored in the merchant cardholder data environment.

I don’t know which brand I agree with more. MasterCard and Discover take the position that a PAN is a PAN; game over. Its position has the advantage of being straightforward and internally consistent with PCI DSS, which says that systems that store, process or transmit cardholder data are in-scope. As a QSA, I like that clarity. However American Express’ position is much more realistic from a business perspective, and it is consistent in its own way because PCI doesn’t require individual cardholders to comply with the DSS. Amex treats the corporate card (usually issued in an individual’s name) and purchasing cards (issued in the company’s name) no differently than it does individual cardholder cards. That is, PCI DSS does not and should not apply.

Visa’s position combines elements from each of the other brands. The corporate and purchasing cardholder data are out-of-scope in just about all cases. The exception is when you put your purchasing and expense report databases in your merchant cardholder data environment. Then everything is in-scope for PCI.

For myself, I suggest you protect these PANs as if they were in-scope regardless of brand. Although your QSA may not consider them in-scope, they might want to document your practices as a finding in your ROC. And although the bad guys have not targeted these cards yet, the situation could change. Some of these cards have huge spending limits, so protecting the cardholder data according to the DSS makes good business sense and it protects your employees, too.

I don’t think that the different postures by the respective brands should be enough to sway your company’s issuing decision. There are more important business drivers, such as acceptance, customer support, reporting and cost. But as an IT exec, I think you ought to invite yourself to the meetings where your company decides to issue or renew a contract for these cards. You don’t need a PCI surprise.

Am I happy with this state of affairs? Is it fair to place the burden on merchants? Do I think it likely the card brands will get their acts together and come up with a single position? My answer to all these questions is “no.” It’s like my old high school football coach said. There may be a right way, and there may be a wrong way, but we’re going to do things the coach’s–that is, the five brands’–way.

I’m interested to know what you think. How do you handle your corporate and purchasing cards? Do you even pay attention to them? Leave a comment below, or send me an E-mail: wconway@403labs.com.

Posted in IT Strategy/Industry, Payment Systems, Security/Fraud

2 Comments | Read The Corporate Travel Card PCI Challenge

Jay Libove, CISSP, CIPP Says:
December 10th, 2009 at 2:39 pm
Thank you for the thoughtful article. Only after reading it do I realize that the question ultimately lies in who has the liability for damages caused to an information security breach of a ‘corporate card’ program?

If the “cardmember” rules which apply to a corporate card lay all of the liability with the business on whose behalf the cards are issued, then the card brands have little standing to impose PCI DSS, as the card brands have little to lose.

What are the actual rules?
Does the cost of fraudulent use of a particular business’ corporate cards fall only on that business? If so then PCI DSS should not apply.
Walt Conway Says:
December 10th, 2009 at 11:03 pm
Thanks for the comment, Jay, and you make a good point about where the risk lies.

I think the risk in a compromise depends on the card type. For example, corporate/travel cards are issued in the cardholder’s name (via the company), and they would be governed by Regulation W which also covers all credit cards. That is, the liability would be $50 to the cardholder. I am not, however, an expert on the nuances of these particular cards or the specific operating regulations governing them. Maybe companies should check their contracts to see liability provisions?

As for purchasing cards which are issued in the company’s name, I can only speculate that the liability in a breach would depend on the contract between the company and the issuer for liability provisions.

In any event, you make a good point that PCI DSS should not apply. However, I keep coming back to my old high school football coach: we can do things the right way, the wrong way, or the coach’s (i.e., the brands’) way. From my point of view, I guess I’ll keep doing things the coach’s way.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.