View previous topic :: View next topic
|
Author |
Message |
haimzeevi
New User
Joined: 01 Mar 2010 Posts: 27 Location: Israel
|
|
|
|
Regarding requirement, PVV & CVV should be erased from TRK2 info.
Is it mandatory, in all organizations, to erase this info from all backups, as well?
Thanks,
Haim Zeevi |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8696 Location: Dubuque, Iowa, USA
|
|
|
|
Check the manual on PCI compliance. |
|
Back to top |
|
|
Bill O'Boyle
CICS Moderator
Joined: 14 Jan 2008 Posts: 2501 Location: Atlanta, Georgia, USA
|
|
|
|
Haim,
IMHO, it couldn't hurt to re-initialize these values to X'00's.
Also, Track1 Data (BIT 045) should be considered as well.
While you're at it, to be absolutely sure, re-initialize BIT 052 (Pin Block Data) to X'00's (if present).
Welcome to the forum....
Regards,
Bill |
|
Back to top |
|
|
haimzeevi
New User
Joined: 01 Mar 2010 Posts: 27 Location: Israel
|
|
|
|
Thank you both.
Robert, we know here what RTFM stands for... but here, PCI requirements got different explanations, depends on whom you ask.
My question was posted to find out about the backups long time backwards.
Thanks again,
Haim. |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8696 Location: Dubuque, Iowa, USA
|
|
|
|
Quote: |
but here, PCI requirements got different explanations, depends on whom you ask. |
Not according to www.pcisecuritystandards.org they don't. I got pulled into some PCI compliance things a while back and learned to read the official PCI documentation. If you're dealing with PCI issues, you need to learn what the documentation tells you as well. Don't rely on what people tell you -- sometimes interpretations may not be accurate, or be in conflict (as apparently you've found out).
Short answer: card number and CVV (for one) cannot be stored clear text anywhere. This includes disk, tape, backups, VSAM files, servers, you name it. I was working with PCI DSS 1.1 so I'm not sure how much it has changed with the latest standard (probably not a lot in this area), but PCI compliance for 1.1 did not permit storage of the CVV after authentication was done -- period. Encryption did not matter; the CVV was not allowed to be stored at all. |
|
Back to top |
|
|
haimzeevi
New User
Joined: 01 Mar 2010 Posts: 27 Location: Israel
|
|
|
|
Thanks for both answer & PCI link.
The answer was "loud & clear"....
Haim Zeevi |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8696 Location: Dubuque, Iowa, USA
|
|
|
|
Glad to hear it helped! |
|
Back to top |
|
|
|