PCI DSS Compliance is a very hot topic these days. With the number of card data leakage incidents, every organization which cares about the reputation wants to know how to be PCI Compliant. Few days back someone asked me about it again, How to be PCI Compliant?
My first answer to them is nothing but to ensure that no card data is stored if they don.t need them. Today, many retail outlets, clinics, restaurant chains and many others keep the card numbers stored in their databases, application logs etc. Is there a need for it? No, not really. Storing the card numbers potentially leads to the card data leakage. PCI DSS aims at reducing the card data storage. If there is no solid business reason to have the card numbers stored, card numbers should not be stored.
In most cases, the card numbers are stored only for the reference purpose and is never really used for any settlements with the corresponding banks. So if the card numbers stored are just going to be stored in the database without ever using it, the cost of storing the card numbers are much higher than the potential business benefit it would bring.
So according to one of the risk management strategies, Risk Avoidance, the card numbers should not be stored. By storing the card numbers without protection measures you are not in compliance with the PCI DSS standard
So my first answer to the question .How to be PCI Compliant. is nothing but .avoid storing the cardholder data if not needed.. If you are facing challenges in achieving this, use the comments section to share your issues.