Do we have to be PCI compliant to store Social Security Numbers in our hosted database?
Do we have to be PCI compliant to store Social Security Numbers in our hosted database? We are hosting a CRM database for nonprofits in South Carolina.
No. PCI scope data is credit card numbers, which is typically referred to as the Primary Account Number. (PAN)
The definition from the glossary is as follows:
Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
Nevertheless, if located in the United States, you will likely be subject to state and federal laws by storing the social security number and I would suggest you treat it as PCI scope data. If you are not PCI compliant, I would seek the particular laws applicable and treat it as sensitive as possible within your environment. A good idea would be to consult a lawyer.
From a professional perspective, I like to treat data like this as carefully as possible. I often consider how the public would react to my actions if it were to be unintentionally disclosed and act as responsibly as possible.
The regulation surrounding Social Security Numbers themselves is different than the regulation surrounding the Payment Card Industry standards.