Why is your company storing credit card numbers?

Payment Systems Blog | David D. Bergert

Oct

Posted (db) in PCI on October-14-2008

Martin writes a great post titled: Why is your company storing credit card numbers?

Many of the merchants I’ve dealt with keep everything and I do mean everything. I’ve run into systems that have card numbers in their databases that date back to the first time they opened up an e-commerce site in the late 80’s. The majority of the card numbers in these systems have long since expired, but the merchant steadfastly refuses to purge any of the data ‘just in case it might be useful some day’. In most cases, they don’t actually use the stored credit card numbers in any way, shape or form, but they feel the need to have the data just to have the data. After all, we all know data is valuable, and what’s more valuable than a potential customer’s credit card number?

I have had similar experiences as well, even more so on the development side where "log everything" you never know when you will need it" was the mentality — you should be able to see why this is a problem.

What Martin writes about is something that you *should* be doing anyway per PCI 3.1 — If you look at the testing procedures however, there is no test to tie the retention period documented in the policies to the actually data that is retained.

No related posts.

Comments:

Randy San Nicolas on November 28th, 2008 at 2:17 pm #

How does PCI view the temporary storage of card numbers on the issuing side? Example scenario: Check cashers and pawn stores provide loading facilities for card issuers through proprietary application. The card number is entered into the system by a clerk and an application builds an API call containing the card information for processing. Once the call is built and executed the card number is deleted.

Randy San Nicolas
http://www.prepaidenterprise.com

About

Recent Posts

Blogroll

Links

Categories

Archives

Meta