I’ve been enjoying LastPass for generating and secure storing and synchronization of passwords between web browsers and my machines. LastPass also has a feature called Automatic Form Filling, I was a little surprised when I saw a spot to store the following information:
Look at the "Credit Card Number" Section:
Notice the spot for Security Code ? PCI considers the Security Code (CAV2,CVC2,CVV2,CID) Sensitive Authentication Data, and does not permit the storage of Sensitive Authentication Data, even if it is encrypted. This is PCI DSS requirement 3.2: also see this "PCI Data Storage Do’s and Don’ts"
So if a user enters in their Security Code and saves it in their "Form Fill Profile" the encrypted Security Code in stored in encrypted format on your computer (when you log-in to Lastpass.com), the LastPass.com servers and Amazon S3 (where LastPass stores its backups). [1] Interesting.
I’ve decided that I can type in my Social Security Number, Credit Card Number, Exp Date and Security on the websites that I frequent 
(Actually the main card number that I use for e-commerce sites I have memorized anyway.
It should also be noted that PCI 3.2 language states "Do not Store sensitive authentication data after authorization (even if encrypted) — With LastPass.com it acts more like a password manager or eWallet, and does not participate in the authorization process – Also the information in the user’s account is solely the cardholder’s.
[1] https://lastpass.com/technology.php
Possibly Related Posts (automatically generated):
