Protect Cardholder Data
There are
two requirements in this second core of
PCI DSS (
Protect Cardholder Data):
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
The Primary Account Number
(PAN) should be
protected at all times. The PAN should not be stored unless it is
absolutely
necessary and should always be encrypted wherever it is stored.
Protect Stored Cardholder Data
A data retention and disposal policy should be created. Storage and retention
should be limited to the time required for business, legal, or regulatory
purposes. However, the CVV2 / CVC2 / CID / CAV2 should not be stored /
retained for any purpose. If this data is stored, it violates the card
associations regulations which can lead to fines and penalties. Your
merchant account provider might even add you to the
MATCH / TMF list.
It is understood that some employees will have the need to see the PAN from time
to time in the course of their duties at work. Encryption keys should be
used to view the PAN. Key distribution and storage should be secure.
Keys should be changed at least once a year and old keys destroyed. If you
suspect a key has been compromised, it should be replaced immediately.
If for some reason the company is unable to encrypt the cardholder data, refer
to
Self-Assessment Questionnaire A and Attestation of Compliance: Appendix B.
Encrypt Transmission of Cardholder Data Across Open, Public Networks
Sensitive information must be encrypted during transmission
over networks because it is easy for hackers to intercept / divert traffic
during the transmission. Never send unencrypted account numbers by e-mail.
Comments