We recently ran into some questions from multiple organizations regarding PCI DSS applicability to closed or inactive credit card account numbers. For example, when someone passes away, the disposition of their debts and assets may go through probate. What may happen during this process is the collection of all of the deceased’s debt accounts, including credit cards, to determine how claims will be paid from the estate. Based on discussions with some of our clients, the credit card accounts are closed before they are handed over to the probate organization. That being said, these organizations will have credit card data in their systems, albeit inactive account numbers.
The PCI DSS version 2.0 states that “the primary account number is the defining factor in the applicability of PCI DSS requirements.” If the PAN is stored then PCI DSS requirements should apply. However, there is no mention of applicability to just active cards or if it applies to inactive/closed accounts as well. Next step was to check the PCI SSC FAQs. Here is the text from the FAQ #5382:
“Does PCI DSS apply to “hot cards,” fraudulent or invalid card numbers, or cancelled cards?
If the issuer confirms the cards are inactive or disabled, the PANs (Primary Account Numbers) no longer pose fraud risk to the payment system. The PCI DSS would not apply in these cases. If however, the PAN is later reactivated, PCI DSS will again apply.”
Just to make sure we offer the best advice possible, we contacted Visa and MasterCard to ensure we provided an accurate recommendation on what, if any, PCI compliance obligations exist. We received the following statements from Visa and MasterCard regarding closed accounts:
“Provided the credit card numbers stored by your client are dead, inactive, or closed accounts and there is no method to reconstruct these accounts as an active account, those records are out of scope for PCI DSS compliance.” - From:email@example.com.
However, in those rare instances where there is an active card mixed in with the storage of the dead cards, the entire environment would be within scope of the PCI DSS. If the active cards are segmented out, that segment would be in scope of the PCI DSS.
“PANs that were not active pose no threat to the payment system. If they are re-activated, then PCI would apply. Also, if there are any live PANs within that environment – then PCI would apply.” – From: firstname.lastname@example.org.
Bottom line: Inactive and closed accounts do not fall into scope for PCI DSS compliance. However, organizations need to ensure that the accounts are truly inactive in order to figure out when PCI applies. In probate cases, credit card companies most likely closed the account when they received notice of the account holder’s death and before they file a claim against the estate. Other types of cases to consider are expired account numbers that may be sitting in a merchant or service provider’s databases. Just because the expiration date on a credit card may have passed, it doesn’t mean that the account associated with that card number has been closed. Typically, cards expire every 2-5 years, but you’re usually issued a new card with the same account number and an updated expiration date. We recommend that organizations have a process in place to ensure that accounts are closed prior to storage of credit card information if they are trying to avoid PCI DSS requirements. Proper security controls based on the sensitivity of data and a risk analysis should also be implemented to protect any sensitive personal or business information.