Our credit processing software developer is requesting trace files from live transactions to investigate some issues. The trace files are encrypted by them and we can't really verify what these trace files include (masked or unmasked PANs for example).
Being that the developer is PCI DSS compliant - should we provide them with the trace files for debugging?
Thanks.

Being that the developer is PCI DSS compliant

What does this mean ? Are the PABP or PA-DSS validated ? if they are they should have a section in their PABP/PA-DSS Implementation Guide for Secure Troubleshooting procedures that address this.

should we provide them with the trace files for debugging?

I would challenge them to find another way to solve this issue, At minimum they should provide a sample or trace file, so you can know the contents of this file to gauge impact, it the trace file contains only truncated card numbers, that is a different thing then one with full CHD.

If they need to have it, have them explain in detail section 1.1.5 from PA-DSS 1.2

1.1.5.a Examine the software vendor’s procedures for
troubleshooting customers’ problems and verify the
procedures include:
 Collection of sensitive authentication data only when
needed to solve a specific problem
 Storage of such data in a specific, known location with
limited access
 Collection of only a limited amount of data needed to
solve a specific problem
 Encryption of sensitive authentication data while stored
 Secure deletion of such data immediately after use

https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf and be comfortable with it.

Thanks for the link & some facts. We do have answers to some questions but missing some other info. Time to hit the developers :eek: