Does the Signature Capture need to be encrypted where it is saved at the POS? Just the actual signature?

I can't find documentation one way or another.

I do not belive that signatures are considered card holder data, and therefore are not in scope of PCI.

Thanks! I went ahead and sent the question to our QSA, I guess I should have started there, but didn't want to open a can of worms.... I appreciate the response. :)

It's not in scope for PCI, but I think your customers would sleep better at night knowing that their signature is protected. A number of states consider signatures as personally identifiable information (PII) and covered under state privacy laws. So I would recommend that you check with your corporate attorney to ensure that you are complying with all relevant states and their privacy laws on this topic.

Does anyone know how the create an interface much like the one presented in Notes for the Pocket PC? I would like to be able to capture a signature via Pocket PC. Nothing CF seems to let me draw on its surface. Any suggestions will be appreciated. Thanks.

Does anyone know how the create an interface much like the one presented in Notes for the Pocket PC? I would like to be able to capture a signature via Pocket PC. Nothing CF seems to let me draw on its surface. Any suggestions will be appreciated. Thanks.

Not many, if any, developers/programmers frequent these forums.
Not sure where you can find detailed help to your question.

lyalc

A number of states consider signatures as personally identifiable information (PII) and covered under state privacy laws.

Jeff do you happen to know if any single source that "attempts" to keep track of what individual states are considering PII?

I cannot guarantee that they cover this well, but try these.

http://www4.law.cornell.edu/

http://nsi.org/Library/Compsec/computerlaw/statelaws.html

If you have a corporate attorney or legal counsel, have them do a search on Lexis or Westlaw for 'personally identifiable information' under the State statutes section of the law.

PCI-DSS requires that the cardholder name must be protected if stored in conjunction with the PAN. Doesn't that imply that the signature must be encrypted if the PAN is also stored?

The PCI DSS makes no reference to any other personally identifiable information (PII) other than that information contained on the credit card or in the card's magnetic stripe or chip.

That said, prudent business sense says that you should protect all PII as strenuously as you do cardholder data (CHD). That would include the cardholder's signature.

The PCI DSS makes no reference to any other personally identifiable information (PII) other than that information contained on the credit card or in the card's magnetic stripe or chip.

That said, prudent business sense says that you should protect all PII as strenuously as you do cardholder data (CHD). That would include the cardholder's signature.
From PCI-DSS 1.2 Requirements on page 1 under Cardholder Data and Sensitive Authentication Data Elements:

"Cardholder data is defined as the primary account number (“PAN,” or credit card number) and other data obtained as part of a payment transaction"

I think the signature would qualify as "other data obtained as part of a payment transaction".

Also note the comment on the table provided on the same page:

"This table is not meant to be exhaustive; its sole purpose is to illustrate the different type of requirements that apply to each data element."

I can't find anything limiting the name to the embossed name on the card or name read from the mag stripe.