Information Security
pci-dss credit-card storage pci-scope
Updated Wed, 06 Jul 2022 21:09:53 GMT

Can I show Credit Card Data to final customers and be PCI Compliant?


I work with reservation management syatems. In the hospitality industry there is the concept of credit card as guarantee. By it when making any kind of reservation you are asked for your credit card info in order to secure the reservation, however you may only be charged, depending on the booking conditions, in the case of a no-show or other concepts that may only occur after the booking process.

For example I may book in January a safari tour happening in October.

So basically for as long as the reservation is valid, you must hold onto the credit card data.

Once day of the booking occurs and there is a no show for example. The hotel personnel (my customers) can query the user's credit card data and charge it.

So if I were to store credit card data in a PCI compliant way, can I then show the credit card data from user's to authorized hotel personnel (customers) that must use it to charge the user?

Once again I clarify, My customers are Hotel Personnel, Tour Operators, Travel Agencies. And the Users of the systems are the people booking through it and giving their credit card numbers.




Solution

Ultimately, I think you're going to have to figure this out with your PCI auditor, which I am not. I think you're going to have a hard time figuring out how to do this is a way that is a) not overly burdensome to you and the ultimate users of the card data, and b) leaves you with a system that is still PCI compliant and that your auditor will give a stamp of approval, but I also don't think PCI DSS v3 makes it impossible.

This is the most significant issue:

Once card data enters a PCI compliant system, it cannot be extracted and delivered via non-compliant means. This means that you can't get the card data out, and email it to a hotel, for instance, or give to someone over the phone. It must at all times be encrypted, access logged, and unprotected PANs only displayed to those with a legitimate business need.

Now, given that the hotel personnel do in fact have a legitimate business need (they need to be able to charge the card) if access is appropriately restricted and audit logged, you may be able to successfully argue this. It still elevates the level of risk, however, and any given auditor may refuse to buy this line of reasoning.

You would be far better off if you could send the data directly to the hotel or tour operators own PCI-compliant processing systems and let them worry about it from there, instead of having to work through human intermediaries.