Author Archives: admin

Storing Track Data is Never Permitted

Storing track data after authorization is never permitted. It doesn’t matter what an organization is doing with the track data, they are not permitted to store it after authorization. The only exception may apply to issuers and/or issuer processors. Issuers or issuer processors are only allowed to retain sensitive authentication data for legitimate business reasons.… Read More »

Where Does Cardholder Data Flow?

Cardholder data flows everywhere. It goes through applications, systems, and network infrastructure devices. An inventory showing systems that store, process, or transmit cardholder data is a valuable tool when scoping an assessment. An inventory of all systems that store, process, and/or transmit cardholder data must be maintained The inventory may be in any usable format… Read More »

Cardholder Data Discovery Tools

While use of a data discovery tool is not required by PCI DSS, they may be able to assist with the scoping process. There are many different tools available that can be used for cardholder data discovery. The tool or tools you use is very dependent on a number of factors including budget, environment, and… Read More »

Track 1 vs. Track 2 Data

There are two types of full track data located within the magnetic stripe – Track 1 and Track 2. Track 1 contains all fields of Track 2 plus the cardholder’s name and additional fields for proprietary use of the card issuer. It is the longer track, up to 79 characters, where Track 2 is shorter,… Read More »

Why Use P2PE Solutions?

Using a validated, Council-listed P2PE solution may reduce the scope of a merchant’s cardholder data environment, where the merchant does not store or decrypt encrypted data within their own environment. Let’s look at how P2PE solutions may allow merchants to reduce the scope of their PCI DSS validation. Firstly, the merchant has no access to… Read More »

What is a P2PE Solution?

What is a Point-to-Point Encryption, or P2PE, Solution? A validated P2PE solution is one that has been verified as meeting the PCI P2PE standard and program requirements, and that is listed by the Council. A P2PE solution requires that payment card data be secured and encrypted at the point-of-interaction (or POI) using approved devices and… Read More »

PA-DSS Overview

Payment Application Data Security Standard (PA-DSS) is a comprehensive set of requirements for payment application software vendors to facilitate their customers’ PCI DSS compliance. It is distinct from but aligned with PCI-DSS. PA-DSS applies to third-party payment applications that store, process, or transmit cardholder data as part of authorization and/or settlement. The first consideration when… Read More »

Service Provider Levels

For service providers, multiple entities may be involved in determining their level. When a service provider is involved in the authorization of a transaction, the acquirer or payment brand may simply determine the transaction volume. However, if a service provider is not involved with authorizing transactions, their level may be determined by their merchant customers,… Read More »

Merchant Levels

We will now briefly touch on merchant levels and transaction volumes. A merchant’s level will be defined by the Payment Brands and determined by the acquirer, or by payment brand where it is an acquirer. This means an organization may be different levels for different payment brands. Transaction volumes: Each acquirer determines merchant transaction volumes,… Read More »