Purchasing, Travel, and Corporate Cards and PCI Scope – Some Closure!

I have blogged here (see here with comments, and here, and here) and elsewhere about whether “corporate cards” used for travel and purchasing should be in the “issuing” school’s own scope for PCI. In other words, if a university (or Megacorp) issues Visa or Amex cards to their staff for travel or purchasing, somebody in the school’s finance or purchasing department will have lists of the PANs. Are these PANs for the cards issued by the university in the university's PCI scope? Some (including this QSA) feel a PAN is a PAN, and as such these cards are in the issuing school’s scope and the data should be protected per the DSS; others (equally or more qualified) believe the cards are out of scope. This topic came up again at the QSA/ASV session at the PCI Community Meeting this week, with the suggestion that it was a “brand issue” and I should check the FAQ. So… Here is the FAQ (number 8715) and the Council’s response: If a merchant or service provider has internal corporate credit cards used by employees for company purchases like travel or office supplies, are these corporate cards considered ‘in scope’ for PCI (continue reading...)