To comply with PCI DSS requirement 4, you need to know where you send your cardholder data. Here are common places where primary account numbers (PAN), and sometimes CVC/CVV/CV2 numbers, are sent:
- Backup services
- Third parties that store or handle PAN (usually payment providers)
- Outsourced Management of Systems or Infrastructure
- Corporate Offices
You then need to use strong encryption and have updated security policies in place when you transmit this cardholder data over any open and/or public networks.