Is there any PCI Compliant way to show card data after it has been captured?

80 views Asked by At

Is it ever allowed, or PCI Compliant to collect credit card data and then let the card numbers be seen again at a later date?

I am working in an industry where everyone writes card data down on paper to bring back to their home office. I try and get people to use tokenization but most have some sort of ERP they want their credit card data in because that is where they actually charge the credit cards.

1

There are 1 answers

0
Hunter Green On

The short answer is that you can certainly store card numbers, but if you do, the system that you store them on -- and the physical facility in which that system is located, and the people who work in that facility, and the networks in that facility, etc. -- all come within PCI/DSS scope. In practice this may mean that the answer is effectively 'no' because you suddenly have to make every one of those elements conform with the rather onerous requirements of PCI/DSS. If your facility is already highly secure (e.g., hardened systems, background checks on employees, badged access to rooms, etc.) this may be a small price to pay, but if it's not, you may find the idea of getting to full PCI compliance is not worth the benefits of having the card data.

Failing that, it's possible that your bank or processor provides a means to get from the masked cardnumber to the real one for a past transaction via something like a secure web login, which falls within PCI rules as long as your staff doesn't then copy and save the data, just looks at it for the duration of working with it and discards it afterwards. That's what was done at my previous place of employment.