Wednesday, July 31, 2013

Credit Card Data Storage and PCI Compliance

Some credit card data can be stored by an e-commerce site assuming adequate security measures are implemented.


Data Element Storage Permitted Protection Required PCI DSS Req. 3.4
Cardholder Data Primary Account Number (PAN) Yes Yes Yes

Cardholder Name Yes Yes 1 No

Service Code 1 Yes Yes 1 No

Expiration Date 1 Yes Yes 1 No
Sensitive Authentication Data 2 Full Magnetic Stripe Data 3 No N/A N/A

CAV2/CVC2/CVV2/CID No N/A N/A

PIN/PIN Block No N/A N/A

1 These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.
2 Sensitive authentication data must not be stored after authorization (even if encrypted).

3 Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.

Summary

The card holder data where storage is permitted must be encrypted per PCI requirements.

Furthermore, the entire system hosting the data store must adhere to PCI requirements.

If your site stores credit card information, then your site is a target.

Alternatives include storing credit card information at your processing gateway or using a Tokenization service to actually store the credit card information.

References

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
https://www.pcisecuritystandards.org/documents/pci_ssc_quick_guide.pdf
http://en.wikipedia.org/wiki/Tokenization_(data_security)

1 comment:

  1. I have checked the previous best practices of the pci compliance and this time also. These all are very helpful for different different operators as well as systems and able to match up with the unique requirements of engineers.

    ReplyDelete