PCI Compliance & Virtual Credit Cards

TL;DR

Virtual credit cards (VCCs) can fall within PCI compliance scope, but it depends on how you handle them. If you store, process or transmit VCC data, even temporarily, you likely need to meet PCI DSS requirements. If you only use a tokenised service where you never see the actual VCC number, your scope is much reduced.

Understanding Virtual Credit Cards

Virtual credit cards are temporary card numbers generated for single or limited-use transactions. They add security by reducing exposure of your primary account details. There are two main types:

• Single-Use VCCs: Created for one specific purchase, then expire.
• Multi-Use VCCs: Valid for multiple purchases within a defined limit or timeframe.

PCI Compliance and Your Role

PCI DSS (Payment Card Industry Data Security Standard) applies to any organisation that stores, processes, or transmits cardholder data. The key question is whether you interact with the VCC number itself.

Step-by-Step Guide: Determining PCI Scope

1. Scenario 1: You Directly Handle VCC Data

• If your systems store, process or transmit VCC numbers (even temporarily), you are likely in scope for full PCI DSS compliance. This includes things like:
  • Logging VCC numbers anywhere.
  • Using VCCs within your own e-commerce platform without a compliant payment gateway.
  • Storing VCC details for reporting or analytics.
• You’ll need to complete a Self-Assessment Questionnaire (SAQ) appropriate to your business model and validate compliance annually.

  The SAQ type depends on how you process payments; check the PCI Security Standards Council website for details.

Scenario 2: You Use a Tokenisation Service

• If you use a payment gateway or third-party service that tokenises VCCs, your scope is significantly reduced. This means the provider handles the sensitive data and replaces it with a non-sensitive ‘token’. You only interact with the token.

  For example, if you integrate with Stripe or PayPal using their APIs and never see the actual VCC number, you’re less likely to be in full scope.

• However, you are still responsible for ensuring the security of your integration with the provider. This includes:
  • Secure coding practices.
  • Access controls.
  • Regular vulnerability scanning.
• You may need to complete a simplified SAQ (e.g., SAQ A or SAQ A-EP) depending on the integration.

Scenario 3: VCCs are used internally for expense management

• If your company uses VCCs solely for internal expenses and doesn’t process external customer payments, PCI DSS requirements may be less stringent. However, you still need to protect the data from compromise.
• Consider implementing strong access controls and encryption where possible.

Step 4: Check Your Contracts

• Review your contracts with any payment processors or third-party services. They should clearly outline their PCI compliance status and responsibilities.

Technical Considerations

If you do handle VCC data directly, consider these security measures:

• Encryption: Encrypt cardholder data both in transit and at rest. Use strong encryption algorithms (e.g., AES-256).

  openssl enc -aes-256-cbc -salt -in sensitive_data.txt -out encrypted_data.enc

• Tokenisation: Implement tokenisation wherever possible to reduce the amount of sensitive data you store.
• Network Segmentation: Isolate systems that handle cardholder data from other networks.
• Access Control: Restrict access to cardholder data to only those employees who need it.
• Regular Scanning & Testing: Perform regular vulnerability scans and penetration tests.

  nmap -p 1-65535 target_ip