View Full Version : sensitive authorisation data
"sensitive authentication data must not be stored subsequent to authorisation"
are there any explicit guidelines with respect to storage of sensitive data prior to authorisation or is it simply a case of common sense.
fatal
04-17-2007, 07:04 PM
This is covered by the cardbrands opregs not PCI DSS.
K Heath
04-18-2007, 04:29 PM
Interestingly, PCI Audit Procedures 3.2 mentions that the sensitive authentication data must not be stored in "Incoming Transaction Data". I'd expect "Incoming Transaction Data" could be pre-authorisation and may need to be stored temporarily pending processing.
It seems the requirement for protection of sensitive authentication data pre-authorisation is not prescriptive in PCI DSS, but it stands to reason that it would require, at a very minimum, the level of protection afforded to other Cardholder Data.
It certainly must not be retained post-authorisation and must be unrecoverable.
mdahn
05-01-2007, 06:34 PM
"sensitive authentication data" refers to requirement 3.2.x
1) Track or Chip data
2) CVV2/CVC2/CID data
3) PIN block / encrypted PIN block data
vBulletin® v3.7.4, Copyright ©2000-2010, Jelsoft Enterprises Ltd.