PCI Data Storage Do's And Don'ts

Requirement 3 of the Payment Card Industry's Data Security Standard (PCI DSS) is to "protect stored cardholder data." The public assumes merchants and financial institutions will protect data on payment cards to thwart theft and prevent unauthorized use. But merchants should take note that Requirement 3 applies only if cardholder data is stored. Merchants who do not store any cardholder data automatically provide stronger protection by having eliminated a key target for data thieves.

For merchants who have a legitimate business reason to store cardholder data, it is important to understand what data elements PCI DSS allows them to store and what measures they must take to protect those data. To prevent unauthorized storage, only Council-certified PIN entry devices and payment applications may be used.

PCI DSS compliance is enforced by the major payment card brands who established the PCI DSS and the PCI Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa.

Basic PCI Data Storage Guidelines for Merchants

• Do understand where payment card data flows for the entire transaction process
• Do not store cardholder data unless it's absolutely necessary
• Do verify that your payment card terminals comply with the PCI personal identification number (PIN) entry device (PED) security requirements
• Do not store sensitive authentication data contained in the payment card's storage chip or full magnetic stripe, including the printed 3-4 digit card validation code on the front or back of the payment card after authorization
• Do verify that your payment applications comply with the Payment Application Data Security Standard (PA-DSS)
• Do not have PED terminals print out personally identifiable payment card data; printouts should be truncated or masked
• Do retain (if you have a legitimate business need) cardholder data only if authorized, and ensure it's protected
• Do not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops or smart phones
• Do use strong cryptography to render unreadable cardholder data that you store, and use other layered security technologies to minimize the risk of exploits by criminals
• Do not locate servers or other payment card system storage devices outside of a locked, fully secured and access-controlled room
• Do ensure that third parties who process your customers' payment cards comply with PCI DSS, PED and/or PA-DSS as applicable. Have clear access and password protection policies
• Do not permit any unauthorized people to access stored cardholder data

Technical Guidelines for Stored Payment Card Data
PCI DSS Requirement 3 details technical guidelines for protecting stored cardholder data. Merchants should develop a data retention and storage policy that strictly limits storage amount and retention time to that which is required for business, legal, and/or regulatory purposes. Sensitive authentication data must never be stored after authorization - even if this data is encrypted.

• Never store full contents of any track from the card's magnetic stripe or chip (referred to as full track, track, track 1, track 2, or magnetic stripe data). If required for business purposes, the cardholder's name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements.
• Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions).
• Never store the personal identification number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed. The first six and last four digits are the maximum number of digits that may be displayed. This requirement does not apply to those authorized with a specific need to see the full PAN, nor does it supersede stricter requirements in place for displays of cardholder data such as on a point-of-sale receipt.

SOURCE: CXO Today