PCI Requirement 3.2.1, 3.2.2 & 3.2.3 – Do Not Store the Track, Service Code, or PIN after Authorization

by Randy Bartels / December 22, 2022

PCI Requirement 3.2 requires that organizations do not store sensitive authentication data after authorization, even if encrypted. Sensitive authentication data includes full track data (magnetic-stripe data or equivalent on a chip), CAV2/CVC2/CVV2/CID, and PINs/PIN blocks. Along with PCI Requirement 3.2 comes three sub-requirements. PCI Requirement 3.2.1 states, “Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained…

PCI Requirement 3.2 – Do Not Store Sensitive Authentication Data after Authorization

by Randy Bartels / December 22, 2022

PCI Requirement 3.2 states, “Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. It is permissible for issuers and companies that support issuing services to store sensitive authentication data if there is a business justification and the data is stored securely.” Organizations in compliance with the PCI DSS should never store sensitive…

PCI Requirement 3.1 – Keep Cardholder Data Storage to a Minimum

by Randy Bartels / December 22, 2022

PCI Requirement 3.1 requires organizations to securely delete data that is not required to be retained for business or legal requirements. Why is complying with PCI Requirement 3.1 important? So that cardholder data cannot be recreated by malicious individuals. PCI Requirement 3.1 states that organizations should, “Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processes…” PCI Requirement 3.1 aligns with the methodology…

PCI Requirement 2.6 – Shared Hosting Providers Must Protect Each Entity’s Hosted Environment

by Randy Bartels / December 22, 2022

What is a Shared Hosting Provider? PCI Requirement 2.6 exists to protect hosting environments. When multiple clients’ data is all on the same server, the security of the server often becomes susceptible to vulnerabilities. For example, one client could create insecure functions, but because the data is under the control of a single environment, the other clients’ data would also become compromised. This is why PCI Requirement 2.6 requires that…

PCI Requirement 2.5 – Ensure Security Policies Are Known to All Affected Parties

by Randy Bartels / December 22, 2022

Ensure that Policies and Procedures are Documented, In Use, and Known to All Affected Parties PCI DSS Requirement 2.5 addresses one of the most important aspects of the assessment. It directs, “Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.” If vendor defaults and other security measures are not continuously managed, it’s harder to…