Is One Password a PCI compliant way to store credit card information?

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • MikeTMikeT Agile Samurai

    Team Member
    edited June 2015

    Hi @janecaplow,

    PCI is not meant for local encryption programs, it's meant for store vendors, retailers and merchants who are taking in/transferring your credit card information, processing it, and then storing it. They need to do it via PCI compliant methods to protect your credit card data as it is transmitted between you and them.

    We're not merchants nor do we transmit or transfer your credit card data, we store your credit card the same way we store everything else, with strong AES-based encryption protocols along with PBKDF2, SHA-256, and so on. In addition, you're entering your information into the data vault locally on your computer that you have total control over, something that PCI wasn't meant for.

  • janecaplowjanecaplow
    Community Member

    So if we use Square or Wepay to process credit card payments it's more a question for them, or because they probably don't store credit card numbers, it's irrelevant?

  • MikeTMikeT Agile Samurai

    Team Member
    edited June 2015

    Hi @janecaplow,

    They definitely should be complying with PCI regardless of storing and in certain states, they must comply with it; they're transmitting the credit card from you over the internet to their servers (they have to store it somehow to run it) and then processing your credit card information. Once they're done, they should not store your credit card. That's what PCI is really about, how to take the information from the customers, process it and then clean up, all from the start to finish.

    How to store or not store the credit card is just one checkbox on the list for PCI compliance, how to transmit and process your data are two more on the checklist. There are 12 requirements, you can find more information here: https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard#Requirements

    If for an example, we have a service on our own servers and we do something with your credit card, then we must comply with PCI. But we don't do anything with your data, you're in charge of the data in 1Password and none of it leaves your control and we do not store any of your 1Password data on our servers.

    Actually, another example would be that our payment processors at our web store must comply with PCI but the burden is on them, not us.

  • janecaplowjanecaplow
    Community Member

    Thanks for all of your help Mike. Very helpful!

  • MikeTMikeT Agile Samurai

    Team Member

    You're welcome.

This discussion has been closed.