pci-dss credit-card pci-scope: Updated Thu, 21 Jul 2022 23:58:07 GMT

Secure online credit card payment on a delayed time scale

I'm in charge of security for a small online store that wishes to request credit card information, but not actually charge the customer until approximately a month after the purchase - this cannot be avoided.

However, it seems to be a nightmare for compliance purposes. It seems as if we'd need to store the credit card details for some time until we charge the customer, possibly necessitating pci-dss compliance. We have no use for the numbers after that month-ish long period.

Does this setup necessarily entail pci-dss compliance? If it doesn't what alternatives are there to securely manage that information on this time scale?

Solution

PCI-DSS comes into play in your scenario. Time is irrelevant. It's the storing of the PAN that triggers PCI-DSS complexity.

If you want to avoid it, architect a different approach. For instance, payment processors can put an authorization hold on the funds for a time then process the full payment.

I would talk to the many payment processors out there to see what they can do for your organization.

Comments (1)

+0 – Just to add to your answer...PCI applies to all that process, store, or transmit. So regardless of the storing of cards you have to comply with PCI because you are processing and transmitting card payments. Depending on the implementation, the scope and requirements may vary but you will always have to be PCI compliant — Aug 30, 2016 at 00:29

References

https://security.stackexchange.com/questions/134981