If a merchant or service provider has internal corporate credit cards used by employees for company purchases like travel or office supplies, are these corporate cards considered ‘in scope’ for PCI DSS?
Each payment brand has individually determined whether companies that use their corporate card solution(s) need to validate compliance with the PCI DSS.
Please contact the relevant brand from the list below (which matches the brand on your corporate card) to confirm their validation requirements:
- Visa: cisp@visa.com
- American Express: express.data.security@aexp.com
- Discover: askdatasecurity@discoverfinancial.com
- JCB: riskmanagement@jcbati.com
Note: If Barclaycard supply your corporate card solution, and if you store, process or transmit the card information on your systems, we require you to report your compliance with the PCI DSS.