Braintree Payment Solutions
  Merchant Login  |   Braintree Developer Community  
 
1.877.434.2894  
 
 
 
 
 
 


For Starters

About this blog

My name is Bryan Johnson and I am the founder and CEO of Braintree. I maintain this blog because payment processing is one of the most difficult components for businesses to manage. It is complex and can pose some significant security, strategic and technical challenges. I try to educate, inform, share my insights and answer questions to help users make better decisions. I've been in the industry for a while now, getting my start in the trenches selling door to door. If you need a resource I am happy to chat.

Creative Commons License
This work is licensed under a Creative Commons License.


Simplify PCI DSS Compliance
     
 

Track data cannot be stored per PCI regulations

Posted on 4 October, 2007 under PCI DSS Compliance by Bryan Johnson

Merchants are prohibited from storing “track data” that is recorded from swiped transactions. Track data is the information encoded within the magnetic strip on the back of a credit card which is read by the electronic reader within the terminal or point-of-sale (POS) system.

When a credit or debit card is swiped, the track data may include customer name, credit card number, expiration date, CVV number (three and four digit code), and in the case of a debit card, the PIN number.

Of that information, the customer’s name, credit card number, and expiration date may be securely stored according to PCI regulations if the merchant chooses. Under no circumstances can the CVV code or PIN number be stored. They must be deleted by immediately following the authorization.

One problem has been that certain POS systems have been collecting prohibited information without the merchant knowing. Hackers find out what POS systems are storing this information and then target the retailers who use that particular system.

The second problem has been that merchants have misunderstood what information they actually needed in order to process transactions. For example, some merchants have been working under the incorrect assumption that the CVV code was necessary to store after the original transaction.

Most POS vendors who have systems that capture and store that information have been scrambling to make sure that they and their customers are making the appropriate adjustments to become PCI Compliant.

Here is a simple graph outlining what data can and cannot be stored according to PCI Regulations.

PCI Data Storage

Other related posts:
PCI Compliance and the cost of a credit card breach
PCI Compliance basics for credit card security

Add this post to other sites: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • Digg
  • Furl
  • NewsVine
  • Reddit
  • YahooMyWeb
  • StumbleUpon

Post your Comment

 

 
     


Search

Categories

Recent Posts
 
 
 
  Company Profile  |   Support  |   Privacy Policy  |   Home  |  Site Map
 
 
  © Copyright 2007 - 2008 Braintree Payment Solutions. All Rights Reserved.
Main: 1.877.434.2894  |  Fax: 1.847.890.6644  |  Email: info@getbraintree.com
Corporate Headquarters: 848 West Bartlett Rd., Bartlett, IL 60103