A common question we receive is about Corporate Cards and PCI compliance. Corporate Cards, credit cards held by employees for corporate purposes, are not usually subject to the scope of PCI DSS compliance. Corporate Cards are classified as internal accounts and PCI DSS applies only to external accounts. The full definition of internal vs. external accounts is discussed in the whitepaper referenced below. The Oracle E-Business Suite’s functionality for protecting external accounts does, however, includes protection for Corporate Cards. When the functionality is enabled to protect external accounts, Corporate Cards are also protected.
While it is highly recommended by both Integrigy Corporation and the PCI Council to appropriately protect Corporate Cards, specific guidance and requirements for the protection of corporate cards should be sought from legal counsel and compliance teams as well as the issuer of the Corporate Card.
For further information on PCI compliance, Corporate Cards and the E-Business Suite please refer to our whitepaper in the link below.
In the next blog posting we will review the Oracle E-Business Suite’s definition of internal vs. external accounts.
If you have questions, please contact us at email@example.com
-Michael Miller, CISSP-ISSMP