Everyone knows that standard payment card information must be protected according to the PCI DSS, but what about virtual cards? Is this information also in scope for PCI?
When we refer to virtual cards, there is no physical card involved but virtual cards come in two types:
Single use and multiple use cards. With single use cards, temporary account numbers are used, so if a criminal obtained the account number they wouldn’t be able to take advantage of that number because it is valid for a single transaction only. Multiple use cards, unfortunately, are more like standard physical cards and can be used for repetitive authorizations/transactions.
Specific guidance about how this information must be protected is not to be found within the many pages of the PCI DSS. However, the Payment Card Industry Security Standards Council (PCI SSC) refers to virtual cards in FAQ Article 1286 which states:
“PCI DSS applies to all primary account numbers (PANs) that represent a PCI founding payment card brand (American Express, Discover, JCB, MasterCard, or Visa). This includes PANs that are only provided electronically (virtual PANs), as well as PANs that correspond to a physical payment card.”
FAQ 1285 focuses specifically on one-time PANs:
“Whether a one-time PAN is in scope for PCI DSS will depend on the particular restrictions around their usage as defined by the payment brands. Entities should contact the applicable payment brand to determine how PCI DSS applies.”
Breaking down these two entries, we can assume that multi-use virtual cards should be protected just as regular payment cards are, and are fully in scope for PCI. With one-time use cards, however, the onus has been placed on the card brands to determine scope requirements so we have to look to each brand for their opinion.
MasterCard has always held the view that single-use PANS are not in scope for PCI DSS:
“MasterCard does not consider Single Use Virtual Card Numbers (SU-VCNs) to be in scope of PCI DSS requirements. The SU-VCN becomes inactive/disabled after only one authorization; therefore, the virtual PAN data cannot be reused for fraudulent activities within the payment ecosystem.”
Prior to October of 2019, Visa had a conflicting opinion. However, a recent Visa Data Security bulletin addressed PCI DSS Applicability for Virtual Accounts and provided updated guidance clarifying their stance on single use virtual accounts. This new document defined Visa’s position:
“Visa considers single-use virtual account numbers out of scope for PCI DSS protection requirements based on the low risk of fraud associated with the account type.”
American Express, Discover, and JCB have no official opinion on virtual one-time cards and whether they are in/out of scope for the PCI DSS. Without official guidance or alternate opinions, single use virtual accounts issued by these card brands should be considered in scope for PCI.
As you continue to evaluate and monitor your payment card merchants, pay close attention to those areas that are receiving virtual card payments. It is important to determine if the payments being received are single-use or multi-use, as multi-use virtual cards are most definitely still in scope for PCI. Merchants may need to reach out to the payer(s) that are providing these account numbers to verify the type of virtual card they are using.
We still recommend following the information security best practices to protect single-use virtual account numbers, but these do not have to be considered when completing your annual PCI DSS attestation. It is important to note than any systems that are accepting both single-use and multi-use virtual cares are in scope for PCI and should meet all requirements of the DSS.
Additional guidance from our Offensive Security team below:
[Burt]: There are a couple things to keep in mind in regards to single-use, virtual card numbers:
1) If your organization is receiving this type of payment from Visa or MasterCard, remember that only these types of PANs are not in scope for PCI. In other words, if your organization also processes, transmits, or stores the traditional PANs, then your environment is still in scope for PCI (i.e. you do not get a free pass from having a cardholder data environment just because single-use virtual card numbers are being received. Sounds self-explanatory, but you would be surprised what some organizations believe).
2) American Express, Discover, and JCB have not provided an official response or further guidance on the single-use, virtual card numbers in regards to PCI scope. So, based on the PCI Council’s FAQ 1285, this means that if your organization deals with single-use virtual card numbers from these three card brands, the PANs must be considered in PCI scope.