The Do’s and Don’ts of Storing Card Data
The rules about keeping 16-digit card numbers, CVV, and expiration dates.
 |
| By: Brand Barney |
SEE ALSO: Infographic: 63% of Businesses Don't Encrypt Credit Cards
Everyone loves fails, am I right?Here’s a great (and true) security fail to illustrate bad card data storage.
One of my colleagues visited a customer to get some information about how they processed their credit cards. They told him how their secretary had a secure way of storing the inner-office credit cards. The secretary proudly explained,
“Well, first I put all the card numbers and expiration dates in an Excel spreadsheet. Then I grab the column and scroll it over and it ‘encrypts’!”Bless her heart. That secretary thought she had “encrypted” their credit cards because they showed up as a line of asterisks.
Tweet |
| Encryption fail... |
Want to see more vids like this? Subscribe on YouTube for more security tips.
Let me summarize.
If it’s encrypted: here’s what you’re allowed to store:
- PAN (Primary Account Number) (e.g., 16 digit number on front of card)
- Cardholder name (e.g., John Smith)
- Expiration date (e.g., 5/18)
- Service code (Note: You can’t actually see this data on a physical card because it resides in the magnetic stripe)
Even if it’s encrypted, you can NEVER store:
- Sensitive authentication data (i.e., full magnetic stripe info)
- PIN
- PIN block (i.e., the encrypted PIN)
- Card validation value (CVV), also known as three/four-digit service code or card security code
Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.