I don't believe the PCI DSS specifically states either way, however I'd suggest that it doesn't matter for 2 reasons.
1. PCI compliance isn't a law, it's just a contractual obligation between the merchant & the payment brand. And I would guess that the same contract includes language about the merchant being responsible and/or liable for the loss of printed card-data as well as electronically stored data. It's been so long since I looked at one of those contracts that I don't remember whether or not that's specifically referenced. 2. In the case of a breach, the payment brands aren't the only source of fines/expenses. Even if the hard copies aren't covered under PCI or any other contract, and you're therefore immune from fines from VISA & friends, you still have to deal with the potential for negative publicity, customer lawsuits, breach notification, loss of customers, etc. The last thing you want is for your business to headline the local news because some punk kid snapped the master-lock on the storage shed where you kept thousands of hard-copies of receipts. Bottom line is there are still risks associated with storing hard-copies, but the threat is considerably lessened because it's only accessible to people with physical access rather than every Tom, Dick, & Albert on the internet. Your mitigation should be similarly balanced. You probably don't need to treat it like KFC's secret fried chicken recipe, but you shouldn't just ignore it either. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Robert Miller Sent: Monday, December 28, 2009 2:26 PM To: [email protected] Subject: [Pauldotcom] PCI & Paper Documents Hello Everyone, Do you know if PCI covers credit card numbers printed on paper and the protections of those said documents? For example a customer order form that has been printed out, does this need to be under lock and key or is this not covered by PCI and we should lock it up for our own protection? Thanks, - Robert (arch3angel) _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
