Do we have to be PCI compliant to store Social Security Numbers in our hosted database? We are hosting a CRM database for nonprofits in South Carolina.
Do we have to be PCI compliant to store Social Security Numbers in our hosted database
hostingpci-dss
Best Answer
No. PCI scope data is credit card numbers, which is typically referred to as the Primary Account Number. (PAN)
The definition from the glossary is as follows:
Nevertheless, if located in the United States, you will likely be subject to state and federal laws by storing the social security number and I would suggest you treat it as PCI scope data. If you are not PCI compliant, I would seek the particular laws applicable and treat it as sensitive as possible within your environment. A good idea would be to consult a lawyer.
From a professional perspective, I like to treat data like this as carefully as possible. I often consider how the public would react to my actions if it were to be unintentionally disclosed and act as responsibly as possible.