Virtual Cards and PCI DSS Compliance

Unique globalVCard Features

• globalVCard paysystems – PCI 4.0 certified
• Remittance information delivered across secure electronic platform
• Funds are pre-authorized; no forms or signatures are required
• Cards are single-use, greatly reducing risk of fraud after the card has been processed.

Payment Process The virtual card payment process is just like any other credit card transaction process. PCI DSS (Payment Card Industry Data Security Standards) applies to all entities involved in payment card processing. The virtual card product typically generates a lot of PCI-related questions with heightened awareness of the need to protect sensitive card data (PAN, expiration date, etc.). CSI globalVCard ensures the secure method of transmitting these data elements to the vendor, but once the vendor receives and processes payment, the vendor should use their existing PCI-compliant processes to destroy or securely store the sensitive information. Single-Use Virtual Cards and PCI Compliance With respect to our customers receiving a copy of this data for their records, please see the following statement from Mastercard. While it is always a good idea to protect data, (1) these cards do not fall under PCI compliance and (2) they are single-use, meaning there is no fraud risk after the card has been processed by the vendor. “Single use virtual cards do not require PCI DSS be applied because these cards are inactive/disabled after use – therefore the PANS no longer pose fraud risk to the payment system. Virtual Card numbers which are Mastercard corporate cards require no obligation by the corporate card client to provide validation that data is protected in accordance with PCI DSS. The corporate card client is not obligated to secure their data as it is their cardholder data and their risk to assume and manage. As a result, Mastercard does not require corporate card entities to validate PCI DSS compliance for its commercial cards.”

Source: The Mastercard Site Data Protection (SDP) Program Frequently Asked Questions, March 22, 2012

THIS MATERIAL IS FOR INFORMATIONAL PURPOSES ONLY AND NOT FOR THE PURPOSE OF PROVIDING LEGAL ADVICE. YOU SHOULD CONTACT YOUR ATTORNEY TO OBTAIN ADVICE WITH RESPECT TO ANY PARTICULAR ISSUE OR PROBLEM.