Cardholder Data Handling Practices

This fundamental question asks whether the vendor's systems touch credit card information in any way—storing it in databases, processing payments, or even just passing the data through their servers. It's asking if payment card numbers, expiration dates, or security codes ever enter their systems, even temporarily. This is the gateway question that determines whether PCI DSS requirements apply.

If a vendor handles cardholder data, you inherit significant compliance obligations and potential liability. This can increase your audit costs by $10,000-$100,000 annually and expose you to breach liability averaging $3.86 million per incident. Conversely, vendors who don't touch card data can dramatically simplify your compliance landscape and reduce security risks.

Many companies incorrectly believe that encryption eliminates the need for PCI compliance—encrypted cardholder data still counts as cardholder data under PCI DSS. Another mistake is overlooking temporary data storage in logs, backups, or memory, which all count as 'storing' cardholder data.