PCI DSS Audit Tip: Store Data Outside Your Environment

Annual PCI Audits: A guide to changing your thought process and reaping the rewards

Are you processing 6 million transactions per annum? Are you largely a card-not-present (ecommerce) platform?  If so, this could be a useful five-minute read for you.

If you do what you've always done, you'll get what you've always got.

Storing the credit card primary account number (PAN) in your own IT infrastructure (on premise or managed service) means you have to endure a lengthy on-site audit with an external QSA and fulfill all 12 of the control objectives of PCI DSS. This can equate to months of work with QSAs, compliance technologies, and other specialists to maintain the tools and compliance, GAP analysis, remediation plans, penetration tests—the list goes on. With regard to data breaches and security, a threat remains as you are still storing the sensitive data within your environment.

There has to be a better way—focus on the data.

Alternatively you can work with a reputable service provider (please check their Attestation of Compliance) by removing the credit card data at the earliest point in the payment process. This ensures that you are not storing the credit card PANs and subsequently reduces your PCI obligations with huge positive outcomes. In fact, subject to your use case, you could qualify for a Self-Assessment Questionnaire (SAQ).

The tools, time, and investments necessary to achieve compliance are reduced massively, meaning a significant financial ROI—sometimes to the tune of many tens of thousands of pounds. From a data security perspective, focusing on the data is the ultimate solution. If there is no data, then there is no theft.

But be wary.

Working with PCI level 1 service providers such as TokenEx doesn’t absolve all responsibility. You still need to achieve and maintain compliance, and that means completing the correct audits and ensuring that a QSA is engaged. Any service provider that tells you differently is misleading you and could cause issues with PCI compliance solutions further down the road.

Now is the time to review practices and processes that can assist with your cashflow and budgets for the financial year ahead. With the current economic uncertainty and confusion in the marketplace, it’s an ideal time to change your way of thinking and embrace technologies that save you time and money while modernizing your payment processes and platforms.

For more information about TokenEx’s Cloud Security Platform, contact us at info@tokenex.com today.


Topic(s): PCI DSS