8

Do we have to be PCI compliant to store Social Security Numbers in our hosted database? We are hosting a CRM database for nonprofits in South Carolina.

Warner
  • 24,174
  • 2
  • 63
  • 69
Jamey McElveen
  • 183

5 Answers5

7

No. PCI scope data is credit card numbers, which is typically referred to as the Primary Account Number. (PAN)

The definition from the glossary is as follows:

Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.

Nevertheless, if located in the United States, you will likely be subject to state and federal laws by storing the social security number and I would suggest you treat it as PCI scope data. If you are not PCI compliant, I would seek the particular laws applicable and treat it as sensitive as possible within your environment. A good idea would be to consult a lawyer.

From a professional perspective, I like to treat data like this as carefully as possible. I often consider how the public would react to my actions if it were to be unintentionally disclosed and act as responsibly as possible.

Warner
  • 24,174
  • 2
  • 63
  • 69
7

The regulation surrounding Social Security Numbers themselves is different than the regulation surrounding the Payment Card Industry standards.

sysadmin1138
  • 135,853
1

PCI is for payment processing, if your not processing payments or storing payment information you shouldn't have to be PCI compliant from a legal stand point. If you are handing social security numbers you should be very careful.

jer.salamon
  • 449
1

You need to check data breech statutes for your state. SSNs definitely fall under personal identifying information, as do some of the other data you may be storing. At minimum, you need to encrypt the stored data. You also to need to pay attention to access controls. PCI-DSS is not applicable, but depending on the industry you are in, Gramm-Leach-Bliley Act may apply, as well as other federal and state laws.

Craig
  • 1,364
0

http://www.nelsonmullins.com/DocumentDepot/June%2025th%20Breach%20Management%20Slides.pdf

South Carolina Data Breach Survival Guide

jl.
  • 1,076