My Merchant Account Blog

Protect Cardholder Data

Thursday, December 04, 2008

There are two requirements in this second core of PCI DSS (Protect Cardholder Data):

1. Protect stored cardholder data
2. Encrypt transmission of cardholder data across open, public networks

The Primary Account Number (PAN) should be protected at all times.  The PAN should not be stored unless it is absolutely necessary and should always be encrypted wherever it is stored.

Protect Stored Cardholder Data

A data retention and disposal policy should be created.  Storage and retention should be limited to the time required for business, legal, or regulatory purposes.  However, the CVV2 / CVC2 / CID / CAV2 should not be stored / retained for any purpose.  If this data is stored, it violates the card associations regulations which can lead to fines and penalties.  Your merchant account provider might even add you to the MATCH / TMF list.

It is understood that some employees will have the need to see the PAN from time to time in the course of their duties at work.  Encryption keys should be used to view the PAN.  Key distribution and storage should be secure.  Keys should be changed at least once a year and old keys destroyed.  If you suspect a key has been compromised, it should be replaced immediately.

If for some reason the company is unable to encrypt the cardholder data, refer to Self-Assessment Questionnaire A and Attestation of Compliance: Appendix B.

Encrypt Transmission of Cardholder Data Across Open, Public Networks

Sensitive information must be encrypted during transmission over networks because it is easy for hackers to intercept / divert traffic during the transmission.  Never send unencrypted account numbers by e-mail. 

Comments

Name
URL
Email	Email address is not published
Access Code
Please enter the access code
Remember Me
Comments