[PCI DSS 3.0] [PCI DSS 3.0] 3.2.1 Do not store the full contents of any track

pcinetwork

PCINetwork.org Admin
#1
3.2.1 Do not store the full contents of
any track (from the magnetic stripe
located on the back of a card,
equivalent data contained on a chip, or
elsewhere). This data is alternatively
called full track, track, track 1, track 2,
and magnetic-stripe data.
Note: In the normal course of business,
the following data elements from the
magnetic stripe may need to be retained:
 The cardholder’s name
 Primary account number (PAN)
 Expiration date
 Service code
To minimize risk, store only these data
elements as needed for business.

3.2.1 For a sample of system components, examine data
sources including but not limited to the following, and verify
that the full contents of any track from the magnetic stripe on
the back of card or equivalent data on a chip are not stored
after authorization:
 Incoming transaction data
 All logs (for example, transaction, history, debugging,
error)
 History files
 Trace files
 Several database schemas
 Database contents.

If full track data is stored, malicious individuals
who obtain that data can use it to reproduce
payment cards and complete fraudulent
transactions.
 
Top