0 min read

PCI and storage of PAN

As technologies evolve, and more and more companies outsource their card payment systems, the question we receive from entities time and again as QSAs is “We don’t store cardholder data. Is PCI still applicable to us?"

The short answer is YES.

The longer answer is PCI compliance applies to everyone who stores, processes or transmits cardholder data. Thus, if you are a retailer, an e-commerce portal, or a service provider and if there is any way you can impact the security of card information, then PCI compliance will apply to you.

The good news is, depending on your merchant level (determined by your acquirer), the number of PCI controls that apply to you may be somewhat reduced, thus making it super easy to achieve and stay compliant.

If you are a level 3 or level 4 merchant you may qualify to complete an applicable self-assessment questionnaire, self-attest to your compliance, and you are done! VikingCloud offers a portal which further simplifies the complete processes of becoming compliant and staying compliant.

If you are level 1 or level 2 merchant / service provider, and you don't store cardholder data, then your compliance journey is still comparatively easy if you work with a QSA Company who can guide you all the way. While level 1 merchants have to engage a QSA, level 2 merchants completing SAQ B, B-IP, C-VT or C can self-assess without involving a QSA. All other SAQ type for level 2 merchants requires you to engage a QSA.

Remember the cost of being non-compliant is far greater than becoming compliant. You may face significant monthly fines, or loss of business. Cyber-attacks are getting increasingly complex, and in some cases data compromises takes place for 3 to 6 months before the merchant becomes aware of a breach. Card brands may fine the merchant depending on the extent of the breach. They may also halt payment processing, leading to direct loss of revenue, damage to reputation and loss of customer trust.

PCI DSS compliance is designed in a way to ensure all businesses can be compliant and depending on the risk the business represents to the card brands your reporting requirements may not be as complex as you thought. By not storing cardholder data in your environment, you have a head start in your journey to becoming compliant.

Visit for more information about how to ensure your organization is PCI compliant or contact the VikingCloud team.



Check out the latest news and resources from VikingCloud.
View All Resources
Andrea Sugden
Chief Sales and Customer Relationship Officer

Let’s Talk

Contact Us