PaulDotCom mailing list archives
PCI & Paper Documents
From: NSweaney at tulsacash.com (Nathan Sweaney)
Date: Mon, 28 Dec 2009 18:05:27 -0600
I don't believe the PCI DSS specifically states either way, however I'd suggest that it doesn't matter for 2 reasons. 1. PCI compliance isn't a law, it's just a contractual obligation between the merchant & the payment brand. And I would guess that the same contract includes language about the merchant being responsible and/or liable for the loss of printed card-data as well as electronically stored data. It's been so long since I looked at one of those contracts that I don't remember whether or not that's specifically referenced. 2. In the case of a breach, the payment brands aren't the only source of fines/expenses. Even if the hard copies aren't covered under PCI or any other contract, and you're therefore immune from fines from VISA & friends, you still have to deal with the potential for negative publicity, customer lawsuits, breach notification, loss of customers, etc. The last thing you want is for your business to headline the local news because some punk kid snapped the master-lock on the storage shed where you kept thousands of hard-copies of receipts. Bottom line is there are still risks associated with storing hard-copies, but the threat is considerably lessened because it's only accessible to people with physical access rather than every Tom, Dick, & Albert on the internet. Your mitigation should be similarly balanced. You probably don't need to treat it like KFC's secret fried chicken recipe, but you shouldn't just ignore it either. -----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Robert Miller Sent: Monday, December 28, 2009 2:26 PM To: Pauldotcom at pdc-mail.pauldotcom.com Subject: [Pauldotcom] PCI & Paper Documents Hello Everyone, Do you know if PCI covers credit card numbers printed on paper and the protections of those said documents? For example a customer order form that has been printed out, does this need to be under lock and key or is this not covered by PCI and we should lock it up for our own protection? Thanks, - Robert (arch3angel) _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- PCI & Paper Documents Robert Miller (Dec 28)
- PCI & Paper Documents Shawn Bernard (Dec 28)
- PCI & Paper Documents Robert Miller (Dec 29)
- PCI & Paper Documents Rick Hayes (Dec 28)
- PCI & Paper Documents Chris Merkel (Dec 28)
- PCI & Paper Documents Vincent Lape (Dec 28)
- PCI & Paper Documents Nathan Sweaney (Dec 28)
- PCI & Paper Documents Ralph Durkee (Dec 28)
- PCI & Paper Documents Vincent Lape (Dec 28)
- PCI & Paper Documents Shawn Bernard (Dec 28)