Web Hosting Talk : Web Hosting Main Forums : Ecommerce Hosting & Discussion : PA-DSS what is considered "Card Holder Data"?

[Evolver]

Can't seem to find this info but need to find out what is "card holder data"

• PAN
• CVV
• EXP.
• NAME
• Address?

For example...

1. Say I have a shopping cart that uses WPS for processing the payment on PayPal site or another "Secure hosted payment form like Auth.net" but the shopping cart software stores the users name and shipping info (which is also used to calculate shipping) minus any CC PAN/CVV/Exp/etc.. does the cart fall into the scope of PA-DSS (Not PCI)?
   
   
2. Say I have a shopping cart that uses WPS for processing the payment on PayPal site or another "Secure hosted payment form like Auth.net" but the shopping cart software only stores the County/Province/Posta-Zip codes for shipping calculation and I retrieve/get the customer billing/shipping info off the third party processors site by logging in to that site once they are charged on the processor site.Does the cart in this situation fall into the scope of PA-DSS (Not PCI)?

[EMBRobert]

Generally it is just the PAN, however if you are storing the PAN then just about anything identifiable to the card holder would be card holder data.

[Evolver]

Ok here some more.

Say a cart does this

• Collects user name and address to calculate shipping charges then stores that data locally not transmitting it anyway to PayPal.
• The user is then sent to PayPal WPS
• They enter their CC info on the PayPal site to pay
• PalPal verifies that the payment was successful and sends the signal back two my cart that payment is successful. No user name or address info is sent anyway between the two systems.
• The cart marks that cart paid and confirmation emails are sent out.

Since both user and cc data did not interact with each other in any way and the user data was never transmitted between the two system would the name and address apply as "card holder data"?

[shift4sms]

Refer back to EMBRobert's post.

If your site does not process, store or transmit the PAN, then any data you store would not be considered cardholder data. If your site does process, store or transmit the PAN, then most anything related to the card number or cardholder is considered cardholder data.

I strongly recommend using a PCI certified gateway that hosts the payment pages and/or tokenization. If your site qualifies for PCI SAQ-A (which from your description it most likely does), then the data you mention is not considered cardholder data.

[Kedstar]

In the example you give, you are effectively outsourcing the PA / PCI compliance burden to a 3rd party processor. This should make you fall under SAQ A as stated above.

If any card info (PAN, CVV) is entered directly in to a form on your site then your application will need to be PA DSS compliant and your environment will fall under SAQ D which is ugly if you aren't geared up for it.

[shift4sms]

BTW, various PCI certified providers have API's that can virtually hide the offloading of cardholder data so the average customer does not know they left your site. In other words, it does not have to be obvious that you left one site to make a payment on another site -- as the case with most Paypal integrations.

[humawebdesign]

This record is for identifying the customer only, there is no any fraudulent intention. Suppose in future they have to return the customer's money they should know from where they got this payment. It helps in arranging refund to the right account.

[Evolver]

Thanks for the info.