The Inner Circle

Expand all | Collapse all

Requirements for having PCI data pass through your system

  • 1.  Requirements for having PCI data pass through your system

    Posted 17 days ago
    We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

    A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.

    Is there another way to work with PCI Compliant companies without having to be certified yourself?


    ------------------------------
    Greg Collins
    CTO
    ------------------------------


  • 2.  RE: Requirements for having PCI data pass through your system

    Posted 17 days ago


    Does a SaaS company require certification to work with a PCI-compliant company?...








  • 3.  RE: Requirements for having PCI data pass through your system

    Posted 17 days ago
    Hi Greg,
    Your company provide service in scope for PCI-DSS, and your customer should require proof of compliance against PCI-DSS.
    Unfortunately, if you are in scope, you have to be compliant. Your customer is assessed probably as a Merchant, but your company has to be assessed as a PCI-DSS Service Provider. To understand the Service Provider level, you need to speak with your customer and QSA.
    Without your compliance, even your customers are at risk of non-compliance.

    Thanks,

    ------------------------------
    Marco Ricci
    ------------------------------



  • 4.  RE: Requirements for having PCI data pass through your system

    Posted 16 days ago
    Thanks Marco,

    Is the sub-level of PCI-DSS Compliance that I could be certified for?

    I was considering this against Open Banking, where they have a certification for the data holder i.e. Bank, and another certification for the Data Recipient i.e. a FinTech who might analyse your banking transactions.

    ------------------------------
    Greg Collins
    CTO
    ------------------------------



  • 5.  RE: Requirements for having PCI data pass through your system

    Posted 16 days ago
    Hi Greg,
    That's correct; your company has to be assessed against PCI-DSS.
    In PCI-DSS, there are only two levels for Service Providers, and the criteria are straightforward:
    Level 1: Service providers that process, transmit and/or store more than 300,000 transactions per year.
    Level 2: Service providers that process, transmit and/or store fewer than 300,000 transactions per year.
    Different level means different annual validation criteria.
    Very important, review the contract with your "PCI-DSS customers" you should have clauses related to PCI-DSS.

    ------------------------------
    MarcoRicci
    Senior Cyber Compliance Manager
    ------------------------------



  • 6.  RE: Requirements for having PCI data pass through your system

    Posted 15 days ago
    Hi Greg,

    Can you have them remove the PCI data before you get the audio?  You are definitely in scope as a service provider since you will have access to PCI data.

    This is really a liability for both you and your customer. Your customer shouldn't be giving you the PCI data if they don't need to and can remove it prior to giving it you.

    Or is there a third party service that is PCI certified that you can use to scrub the data before sending it to you?  You would have to get your customer on board but will be cheaper and less burdensome for your organization to go this route.

    Troy

    ------------------------------
    Troy Fine
    Schneider Downs
    Schneider Downs
    ------------------------------



  • 7.  RE: Requirements for having PCI data pass through your system

    Posted 13 days ago
    Hi Troy, thanks for your comments.

    Because we are not PCI certified the customer won't be giving us this data. I was hoping there was something I could do to mitigate the risk on both sides, but it is clear that is not possible.

    Thanks again for your feedback.

    ------------------------------
    Greg Collins
    ------------------------------



  • 8.  RE: Requirements for having PCI data pass through your system

    Posted 12 days ago
    Greg:

    If it's not too late, one alternative could be running the tool(s) that remove the payment card info in the customer's environment that's already PCI-DSS compliant and then have it transferred to the SaaS app for processing.

    ------------------------------
    Mosi Platt
    ------------------------------



  • 9.  RE: Requirements for having PCI data pass through your system

    Posted 11 days ago
    AWS and GCP have useful tools - maybe not 100% "off the shelf" but it should be relatively practical with one of the cloud tools or many other 3rd party tools:

    voice to text redaction:
    https://aws.amazon.com/blogs/aws/now-available-in-amazon-transcribe-automatic-redaction-of-personally-identifiable-information/

    audio redaction:
    https://docs.aws.amazon.com/connect/latest/adminguide/sensitive-data-redaction.html

    image PII redaction:
    https://aws.amazon.com/blogs/machine-learning/de-identify-medical-images-with-the-help-of-amazon-comprehend-medical-and-amazon-rekognition/

    I'm sure this wasn't the answer you wanted from a "how to get this deal signed this quarter" view. But in case others stumble upon this thread.


    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 10.  RE: Requirements for having PCI data pass through your system

    Posted 11 days ago
      |   view attached
    Hi Greg,

    You can use ZafePass VPC to get access to the clients PCI information. There are several options .. you can operate ZafePass VPC (there's no hardware) ... you can host it with a provider, your client can have a ZafePass VPC installation, or it can be placed in a public cloud ... depending on where the PCI data is. Once the ZafePass Gateway is pointed at the PCI info any user getting the agent for this specific setup ... will be the only one having access to only that resource. Feel free to contact me for any questions ... and feel free to dump my suggestion if not applicable - but if you want a secure (and I mean extremely secure) connectivity solution to any IT-resource, service, application or any data .. we got a nice way to do this. You can see more in the enclosed PDF.

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    +4593631300
    ------------------------------

    Attachment(s)



  • 11.  RE: Requirements for having PCI data pass through your system

    Posted 10 days ago
    The way I am reading this is that the service you are providing is about the data analysis and the PCI data removal is just to avoid you storing it, not part of the service to your client.  If that's correct I'd make a couple of observations.   Your client is storing call data that includes card data.  That's not permitted under PCI DSS unless the data is encrypted.  If it is encrypted and they pass you encrypted card data and you have no way to decrypt it yourself then you are probably off the hook for PCI compliance.  on the other hand, If they are storing unencrypted card data then they need to deal with that themselves before bringing your service in.

    ------------------------------
    steve hancock
    Information security consultant
    Acacia Infosec
    ------------------------------



  • 12.  RE: Requirements for having PCI data pass through your system

    Posted 10 days ago
    Assuming the whole audio file is encrypted at rest and in transit. But then when they transfer it to the downstream service provider, for it to be useful it must be unencrypted (presumably to be reencrypted under a new key by the recipient).  The sender of course could "partially encrypt" just the cardholder data embedded in the audio stream, though this is not likely an off the shelf tool (I haven't researched it), but I would argue just redact it.

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------