PCI 3:: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 5: | Line 5: | ||
---- | ---- | ||
<br> | <br> | ||
::[[Image:Key-control.jpg]]'''PCI-3.4 Render sensitive cardholder data unreadable anywhere it is stored (including data on portable media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches: | ::[[Image:Key-control.jpg]][[PCI-3.1 | PCI-3.1 Keep cardholder information storage to a minimum. Develop a data retention and disposal policy. Limit your storage amount and retention time to that which is required for business, legal, and or regulatory purposes, as documented in the data retention policy.]]<br> | ||
<br> | |||
---- | |||
<br> | |||
:'''PCI-3.2 Do not store sensitive authentication data subsequent to authorization (not even if encrypted):'''<br> | |||
<br> | |||
::[[Image:Key-control.jpg]][[PCI-3.2.1:|PCI-3.2.1 Do not store the full contents of any track from the magnetic stripe (on the back of the card, in a chip, etc.).]]<br> | |||
<br> | |||
::[[Image:Key-control.jpg]][[PCI-3.2.2:|PCI-3.2.2 Do not store the card-validation code [three-digit or four-digit value printed on the front or back of a payment card (e.g., CVV2 data or CVC2 data)].]]<br> | |||
<br> | |||
::[[Image:Key-control.jpg]][[PCI-3.2.3:|PCI-3.2.3 Do not store the PIN Verification Value (PVV).]]<br> | |||
<br> | |||
---- | |||
<br> | |||
::[[Image:Key-control.jpg]][[PCI-3.3 | PCI-3.3 Mask account numbers when displayed (the first six and last four digits are the maximum number of digits to be displayed).]]<br> | |||
<br> | |||
:::*Note that this does not apply to those employees and other parties with a specific need to see full credit card numbers. | |||
<br> | |||
---- | |||
<br> | |||
::[[Image:Key-control.jpg]][[PCI-3.4 | PCI-3.4 Render sensitive cardholder data unreadable anywhere it is stored (including data on portable media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:]]<br> | |||
<br> | <br> | ||
:::* One-way hashes (hashed indexes), such as SHA-1 | :::* One-way hashes (hashed indexes), such as SHA-1 | ||
Revision as of 14:13, 28 February 2007
Requirement 3: Protect stored data.
- Note that this does not apply to those employees and other parties with a specific need to see full credit card numbers.
- PCI-3.2 Do not store sensitive authentication data subsequent to authorization (not even if encrypted):
- Note that this does not apply to those employees and other parties with a specific need to see full credit card numbers.
- One-way hashes (hashed indexes), such as SHA-1
- Truncation
- Index tokens and PADs, with the PADs being securely stored
- Strong cryptography, such as Triple-DES 128-bit or AES 256-bit with associated key management processes and procedures.
- The MINIMUM account information that needs to be rendered unreadable is the payment card account number.
- PCI-3.5 Protect encryption keys against both disclosure and misuse.
- PCI-3.6 Fully document and implement all key management processes and procedures, including:
--Mdpeters 08:33, 26 June 2006 (EDT)