One of the most frequent questions we get asked by merchants is where they should store their cardholder data. The answer to this question is a resounding - you shouldn't store any cardholder data!
In reality that is not entirely possible for all merchants. We recommend that merchants should not store cardholder data unless it is absolutely essential to do business. In the word of PCI DSS words it: "3.1 Keep cardholder data storage to a minimum".
Thieves cannot steal what is not there. Before a merchant gets hacked they often feel it is very important to store card data. Once a merchant experiences an attack, we have seen that mindset shift into one that tries to find a way to eliminate card data from their system entirely.
For Point-of-Sale transactions where the credit card is physically present, it best to adopt real-time authorization and settlement. By doing so, the merchant can push the card data completely off of their systems. They never store it in the first place. If the merchant is storing the card number and batching out once a day, the merchant is required to comply with SAQ-D.
If batching is required, try to set up a system where a compliant processing solution captures all card data upon authorization, returning only an authorization code to the merchant. This approach ensures that cardholder data is removed entirely from the system at the time of authorization. The merchant later batches using the authorization codes instead of the cardholder data, eliminating the risk entirely.
For recurring billing transactions merchants will need to store customer card data, billing information, and other sensitive data. To reduce risk in this situation the merchant must never, under any circumstances, store the security code (CVV2, CVV, etc.) following the very first authorization. There are no exceptions to this requirement. PCI DSS says "Sensitive authentication data must not be stored after authorization (even if encrypted)."
Requirement 3 details the entire cardholder data storage rules of PCI DSS.
-Lee, Strategic Accounts
Posts
