PCI DSS Compliance and the Storage of Data

I recently wrote about our new ContactWorld PCI mid call IVR product and the advantages it gives by removing the exposure of cardholder data to your call centre agents.

That's important, but it's not the complete story. There is also the difficult issue about what you do when you store cardholder information. Once you store cardholder information it can be potentially accessible by your back office and IT staff. To store it properly you need to encrypt the data and the most difficult part of that is how you manage the encryption keys. That is not easy.

Don't forget that there is certain information, such as the CVV, that you can't store at all.

Again the easiest way to solve this problem is not to store this information at all and let someone else manage that for you.

Remember to check that the service provider you are using is compliant themselves, they really do need to be a level 1 validated service provider as that means that they have been externally audited rather than self certified. Do you really want to trust your customers card details with someone that has marked their own homework?

Fortunately there is an easy way to check compliance on the Visa Europe web site.