Do we have to be PCI compliant to store Social Security Numbers in our hosted database

hostingpci-dss

Do we have to be PCI compliant to store Social Security Numbers in our hosted database? We are hosting a CRM database for nonprofits in South Carolina.

Best Answer

No. PCI scope data is credit card numbers, which is typically referred to as the Primary Account Number. (PAN)

The definition from the glossary is as follows:

Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.

Nevertheless, if located in the United States, you will likely be subject to state and federal laws by storing the social security number and I would suggest you treat it as PCI scope data. If you are not PCI compliant, I would seek the particular laws applicable and treat it as sensitive as possible within your environment. A good idea would be to consult a lawyer.

From a professional perspective, I like to treat data like this as carefully as possible. I often consider how the public would react to my actions if it were to be unintentionally disclosed and act as responsibly as possible.

Best Answer

Related Solutions

What’s the difference between PCI and SAS 70 compliance when I am shopping for a hosting company to stick the servers in

Security – Our security auditor is an idiot. How to give him the information he wants

Related Topic