Hi,
Our company builds software that allows card users to view and edit electronic transaction files issued by their card-providing bank. As such, this software does not process any card payments and only uses the card number to identify the card holder.
No other data is stored, such as expiry date, pin, card holder address etc.,

Could anyone advise if this type of management information software falls under PCI DSS, and if so, at what level?
Many thanks for any help....

As you store the card account number, the minimum amount needed to be inscope for PCI DSS, then this application falls under PCI DSS and also is in scope for certification under Visa's recommended Payment Application Best Practices (PABP).

Is it practical to modify the application to only store and display the recommended maximum port of the card account number i.e. first 6, and last 4 digits?

Doing so would simplify the life of your customers during their PCI audits/self assessments.

PABP certification for your software would make life even better for your customers, since it directly removes a number of the application design questions from their PCI audit/self assessment.


Lyal