|
View previous topic :: View next topic
|
| Author |
Message |
haimzeevi
New User
Joined: 01 Mar 2010
Posts: 27
Location: Israel
|
|
|
|
Regarding requirement, PVV & CVV should be erased from TRK2 info.
Is it mandatory, in all organizations, to erase this info from all backups, as well?
Thanks,
Haim Zeevi |
|
| Back to top |
|
 |
Robert Sample
Global Moderator
Joined: 06 Jun 2008
Posts: 8696
Location: Dubuque, Iowa, USA
|
|
|
|
| Check the manual on PCI compliance. |
|
| Back to top |
|
|
Bill O'Boyle
CICS Moderator
Joined: 14 Jan 2008
Posts: 2501
Location: Atlanta, Georgia, USA
|
|
|
|
Haim,
IMHO, it couldn't hurt to re-initialize these values to X'00's.
Also, Track1 Data (BIT 045) should be considered as well.
While you're at it, to be absolutely sure, re-initialize BIT 052 (Pin Block Data) to X'00's (if present).
Welcome to the forum....
Regards,
Bill |
|
| Back to top |
|
|
haimzeevi
New User
Joined: 01 Mar 2010
Posts: 27
Location: Israel
|
|
|
|
Thank you both.
Robert, we know here what RTFM stands for... but here, PCI requirements got different explanations, depends on whom you ask.
My question was posted to find out about the backups long time backwards.
Thanks again,
Haim. |
|
| Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008
Posts: 8696
Location: Dubuque, Iowa, USA
|
|
|
|
| Quote: |
| but here, PCI requirements got different explanations, depends on whom you ask. |
Not according to www.pcisecuritystandards.org they don't. I got pulled into some PCI compliance things a while back and learned to read the official PCI documentation. If you're dealing with PCI issues, you need to learn what the documentation tells you as well. Don't rely on what people tell you -- sometimes interpretations may not be accurate, or be in conflict (as apparently you've found out).
Short answer: card number and CVV (for one) cannot be stored clear text anywhere. This includes disk, tape, backups, VSAM files, servers, you name it. I was working with PCI DSS 1.1 so I'm not sure how much it has changed with the latest standard (probably not a lot in this area), but PCI compliance for 1.1 did not permit storage of the CVV after authentication was done -- period. Encryption did not matter; the CVV was not allowed to be stored at all. |
|
| Back to top |
|
|
haimzeevi
New User
Joined: 01 Mar 2010
Posts: 27
Location: Israel
|
|
|
|
Thanks for both answer & PCI link.
The answer was "loud & clear"....
Haim Zeevi |
|
| Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008
Posts: 8696
Location: Dubuque, Iowa, USA
|
|
|
|
Glad to hear it helped!  |
|
| Back to top |
|
|
|
|
