Track Data Cannot be Stored per PCI Regulations

Merchant accounts are prohibited from storing "track data" that is recorded from swiped transactions. Track data is the information encoded within the magnetic strip on the back of a credit card which is read by the electronic reader within the terminal or point-of-sale (POS) system.

When a credit or debit card is swiped, the track data may include customer name, credit card number, expiration date, CVV number (three and four digit code), and in the case of a debit card, the PIN number. Of that information, the customer's name, credit card number, and expiration date may be securely stored according to PCI regulations if the merchant chooses.

Under no circumstances can the CVV code or PIN number be stored. They must be deleted by immediately following the authorization. One problem has been that certain POS systems have been collecting prohibited information without the merchant knowing. Hackers find out what POS systems are storing this information and then target the retailers who use that particular system.

The second problem has been that merchants have misunderstood what information they actually needed in order to process transactions. For example, some merchants have been working under the incorrect assumption that the CVV code was necessary to store after the original transaction. Most POS vendors who have systems that capture and store that information have been scrambling to make sure that they and their customers are making the appropriate adjustments to become PCI Compliant. Here is a simple graph outlining what data can and cannot be stored according to PCI Regulations.

PCI Data Storage

 

 

Other related posts:
PCI Compliance and the cost of a credit card breach
PCI Compliance basics for credit card security

***
Braintree We enable beautiful commerce experiences so that people and ideas can flourish. More posts by this author

You Might Also Like