Some of you may have heard about the GAO's report on US Government-wide Purchase Cards. This report is causing many reevaluations of Purchase Card controls and systems. I am involved in a PCI Compliance program and we have been in the process of finding system components that belong in the PCI DSS Scope. Many internal Purchase Card management systems store the PAN as part of the function of the system. (these systems are never involved in payment transactions)

So should these systems be covered by our PCI Compliance?

From “Payment Card Industry (PCI), Data Security Standard, Version 1.1”, I see that these requirements apply any time the PAN is stored. So this seams to indicate that these systems are in the PCI DSS Scope.

However, in our assessment, we are doing a self-assessment. This includes a merchant and a service-provider attestation. For these Purchase Cards, we are the cardholder. The employee is a limited authorized agent of the organization. So this seams to indicate that we do not have to attest for any of theses systems.

At this point, we are considering PCI DSS “best practice” for internal Purchase Card controls and systems.

Our question, does PCI regulation (and compliance) apply to Purchase Card controls and systems (outside of payment transactions) in the Cooperate or US Government-wide sector? If so, how would the organization attest to compliance?

Or, is taking a “best practice” approach the way to go?

Thanks

As a start, see this thread: http://forum.pcianswers.com/showthread.php?t=538 in PCI Q&A.