The Corporate Travel Card PCI Challenge

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

When I played high school football, the coach once said to me, “Son, there are three ways you can do things: the right way; the wrong way; and the coach’s way. Which way are you going to do things?” To which I replied, “the coach’s way, sir.” PCI can sometimes get like that when the card brands can’t agree among themselves as to whether something is in-scope or out-of-scope.

Most companies issue their employee road warriors with corporate travel cards. Companies also issue purchasing or procurement cards that their staff use to buy everything from office supplies to store fixtures. Most of these cards are American Express, MasterCard or Visa branded. Companies store the PANs in databases that are accessible to travelers and others who use the data for expense reporting and tracking. In my experience, the PANs get printed on hardcopy reports. The question for IT execs is, do you need to include these cards in your (merchant) PCI scope? The surprise answer is that it depends on where you store the cardholder data and, interestingly, on which brand of card you choose.

There is a division of labor in the world of PCI. The PCI Council, among other duties, manages and promotes PCI DSS. The five card brands, on the other hand, enforce the DSS each according to its own lights. Nowhere is this separation of duties--and difference in interpretation and presumably enforcement--clearer than in the world of purchasing and procurement cards.

At the PCI Community Meeting, I asked the Technical Working Group whether a company’s travel and purchasing cards were in-scope, and I was referred to the Council’s FAQ on the subject, which says: PCI DSS applies to any entity that stores, processes or transmits cardholder data. Whether entities with cardholder data on their own corporate cards need to validate compliance is determined by each payment brand individually. Depending on the marks on those corporate cards, please contact the applicable payment brands.

This description is not terribly helpful, but fair enough. The Council (division of labor) sets the rules, and the brands decide how to enforce them. So I contacted each of the brands to see whether it views these cards to be in-scope. Both Visa and MasterCard got back to me within hours, and Discover replied in a day. I got American Express’ answer a by speaking directly to its representatives while at the PCI Community Meeting.

MasterCard won my personal prize for succinctness: “MasterCard considers these cards in-scope.” Discover replied similarly: “Per the requirements of the DISC program, which may be found on our Web site, any payment card bearing the Discover logo is considered to be within scope of the PCI DSS.”

Therefore, the answer seemed pretty straightforward: If your company issues MasterCard or Discover branded cards to your employees for travel or purchasing, the cardholder data is in-scope for your PCI assessment.

Visa, however, provided a more nuanced response: “As stated by the PCI DSS, any entity that stores, processes or transmits cardholder data are within scope. The corporate card data itself would not be within scope of an entity's PCI DSS compliance VALIDATION scope but should be secured in accordance with personally identifiable information restrictions. However, if the entity's corporate card information resides in the same systems or unsegmented network as their merchant payment card processing environment, the systems would be within the entity's PCI DSS compliance validation scope” We should note that the emphasis is Visa’s.

I translate this response to mean that if your Visa branded corporate and purchasing card data is housed somewhere in your merchant cardholder data environment, then and only then would the corporate card data be in-scope. Otherwise, if you issue Visa branded cards for travel or purchasing, then they are out of your PCI scope.American Express’ response completed the continuum of answers: Amex corporate cards are always out-of-scope. Amex believes it should not require the company issuer to do anything special; any move to protect the cardholder data is up to the company.

So there we have it. If your company issues a travel or purchasing card with the MasterCard and Discover logos, those PANs are in your PCI scope. But these same types of cards carrying the American Express logo are out of scope for the issuing company. And if the cards have the Visa logo, they are only in-scope if the corporate cardholder data is stored in the merchant cardholder data environment.

I don’t know which brand I agree with more. MasterCard and Discover take the position that a PAN is a PAN; game over. Its position has the advantage of being straightforward and internally consistent with PCI DSS, which says that systems that store, process or transmit cardholder data are in-scope. As a QSA, I like that clarity. However American Express’ position is much more realistic from a business perspective, and it is consistent in its own way because PCI doesn’t require individual cardholders to comply with the DSS. Amex treats the corporate card (usually issued in an individual’s name) and purchasing cards (issued in the company’s name) no differently than it does individual cardholder cards. That is, PCI DSS does not and should not apply.

Visa’s position combines elements from each of the other brands. The corporate and purchasing cardholder data are out-of-scope in just about all cases. The exception is when you put your purchasing and expense report databases in your merchant cardholder data environment. Then everything is in-scope for PCI.

For myself, I suggest you protect these PANs as if they were in-scope regardless of brand. Although your QSA may not consider them in-scope, they might want to document your practices as a finding in your ROC. And although the bad guys have not targeted these cards yet, the situation could change. Some of these cards have huge spending limits, so protecting the cardholder data according to the DSS makes good business sense and it protects your employees, too.

I don’t think that the different postures by the respective brands should be enough to sway your company’s issuing decision. There are more important business drivers, such as acceptance, customer support, reporting and cost. But as an IT exec, I think you ought to invite yourself to the meetings where your company decides to issue or renew a contract for these cards. You don’t need a PCI surprise.

Am I happy with this state of affairs? Is it fair to place the burden on merchants? Do I think it likely the card brands will get their acts together and come up with a single position? My answer to all these questions is “no.” It’s like my old high school football coach said. There may be a right way, and there may be a wrong way, but we’re going to do things the coach’s--that is, the five brands’--way.

I’m interested to know what you think. How do you handle your corporate and purchasing cards? Do you even pay attention to them? Leave a comment below, or send me an E-mail: [email protected].