Thank you both.
Robert, we know here what RTFM stands for... but here, PCI requirements got different explanations, depends on whom you ask.
My question was posted to find out about the backups long time backwards.
Joined: 06 Jun 2008 Posts: 8338 Location: Dubuque, Iowa, USA
but here, PCI requirements got different explanations, depends on whom you ask.
Not according to http://www.pcisecuritystandards.org they don't. I got pulled into some PCI compliance things a while back and learned to read the official PCI documentation. If you're dealing with PCI issues, you need to learn what the documentation tells you as well. Don't rely on what people tell you -- sometimes interpretations may not be accurate, or be in conflict (as apparently you've found out).
Short answer: card number and CVV (for one) cannot be stored clear text anywhere. This includes disk, tape, backups, VSAM files, servers, you name it. I was working with PCI DSS 1.1 so I'm not sure how much it has changed with the latest standard (probably not a lot in this area), but PCI compliance for 1.1 did not permit storage of the CVV after authentication was done -- period. Encryption did not matter; the CVV was not allowed to be stored at all.