Are private-label credit cards (PLCC) exempt from PCI-DSS?
Question
We are currently tokenizing all MasterCard and Visa cards accepted on our site and not storing card data, but we do not do the same for private-label cards. The private-label cards aren't backed by MasterCard/Visa and can only be used in-store and on our client's website. Are we violating PCI compliance by not treating these cards the same way as Visa/MasterCard even though they are in-effect 'credit' cards.
2 answers
solution1
0 2020-05-06 20:02:33
PCI is more than just Visa and MasterCard . If any of those private label cards are Participating Organization of the Payment Card Industry Security Standards Council you are violating PCI. There are currently 798 participating members.
solution2
0 2020-05-07 23:43:51
Private label cards are entirely under the purview of their issuer, if they aren't "cobranded" (by also having a credit card network's logo). The issuer may require PCI compliance, and if they're part of the PCI council (as John Conde's answer says) they are likely to choose to do so. But it isn't required of them.
It's good practice on your part to default to treating them as PCI even if not required, simply because someone may make a mistake and type a regular credit card into the private label card field. However, if the issuer asks you to do something that would be a PCI violation, such as storing the CVV or displaying the full card number to someone, you can safely comply. (If the merchant asks you to do so, without getting approval from the bank that's backing their cards, that could be a problem, but that's between the merchant and the bank.)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.