For business purposes, how long can Flat Files that contain credit cards numbers be "At Rest" before they have to be encrypted? If the information is residing on a PC needing to be analyzed before it is sent out, how long can it be unencrypted on that PC, before it is considered "Data at Rest?"

Thank you,

Reading the standard as the "letter of the law" there is no time frame specified for this scenario. However the standard does state that storage of card data without protection is not permitted unless compensating controls are in place (and documented appropriately).

If storage of these files was a justifyable business need then a QSA would be more focussed on establishing what your compensating controls were for this situation. You may be able to use a shorter storage time frame as part of your compensating contols provided other measures were also in place to prevent unauthorised access.

As an easy to implement solution You might consider storaging your flat files in a Zip archive with AES encryption (using Winzip or Powerarchiver for example) if you need to retain flat files for a period of time on the host.

Every scenario is different however I hope this gives you some ideas on how to approach the issue.

Steve