PCI DSS

Keep Cardholder Storage to a Minimum
As part of your development of policies, you will establish a data retention policy. This is a crucial piece of an information assurance plan.There is no need to store sensitive data longer than business, legal, and regulatory requirements dictate.

Do Not Store Sensitive Authentication Data Subsequent to Authorization
Once a transaction has been authorized or “cleared,” there is no justification for storing any of the following sensitive data:
- Full contents of any track from the magnetic stripe on the back of the card
- Card verification code
- PIN
- PIN block (encrypted pin block)

Download Free PCI DSS Compliance Step By Step:
Step 1—Identify and Classify Information
The first step in achieving your data privacy goals is to identify what data you have and classify it in terms of its sensitivity.There are multiple levels that data can be classified on, but for the purposes of PCI, you need to determine what is and is not cardholder data, and then break down the elements further in terms of sensitivity.You might break it down such as:
- Customer Information
- PAN
- Personal Identification Number (PIN) number
- Non-customer-related data
You can classify your data in any way that makes sense to you, but the most important thing to be aware of is the requirements in PCI DSS Requirement 3 in terms of what is required to be treated as sensitive or not.Your subsequent steps of organization will be based on your decisions here.

Step 2—Identify Where the Sensitive Data is Located
Databases will house cardholder data, but where else might it be? Flat files that are results of batch processing, log files, backup tapes, and storage networks may all house sensitive information.
Ask the following questions:

Download free PCI DSS Firewall Security Guidelines:
- The PCI DSS requires a firewall that provides stateful inspection, also known as dynamic packet filtering.
- Stateful inspection firewalls offer strong security along with good performance and transparency to end users, unlike the packet filtering and proxy firewalls.
- Document your dataflow in order to aid the system and security administrators in configuring the firewall with the proper rule set.

“Compensating controls may consist of either a device or combination of devices, applications, and controls that meet all of the following conditions:

- Provide additional segmentation/abstraction (e.g., at the network layer)
- Provide ability to restrict access to cardholder data or databases based on the following criteria:
* Internet Protocol (IP) address/Media Access Control (MAC) address
* Application/service
* User accounts/groups
* Data type (packet filtering)

As in the case of protecting stored data, the most reliable and efficient way to ensure that your transmitted data is not intercepted (confidentiality) or modified (integrity), is to encrypt it during transmission. PCI Requirement 4 spells out some specific details as it relates to these procedures for communication.

Let’s take a look at some of the specific PCI DSS sub-items in order to illuminate some of the terminology and the implications.

Requirement 4.1—Cryptography and Protocols
This requirement states “Use strong cryptography and security protocols such as secure socket layer (SSL)/transport layer security (TLS) and Internet protocol security (IPSec) to safeguard sensitive cardholder data during transmission over open, public networks.”