Requirement 3.1 of the Payment Card Industry Data Security Standard (PCI DSS) requires merchants keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
To keep, or not to keep -- that is the question. Whether it is nobler in the eyes of your acquiring bank to retain your transaction data, and risk a breach, or to take arms against the conventional wisdom that the merchant must retain massive amounts of private data in order to fend off the odd contested transaction. Ay, there's the rub.
Many banks insist that their merchants retain complete records of all credit card transactions in case there is a disputed transaction. However, all the merchant needs is the authorization number from the processor, the dollar amount and to have checked the customer's identification for a card present transaction, or to get the card verification value code and billing zip code for a card not present at the transaction.
Yet this topic comes back to haunt us. The National Retail Federation wants the acquiring banks to store the data and provide a code to the merchant which would relieve the merchants of their burden to store the data. But that's just what already exists in the form of the authorization code! One merchant insisted that they must retain the full transaction data -- credit card number, expiration date, etc. -- for seven years. Unless there's been fraud, not even the IRS requires that.
So are there valid reasons to store the data? Possibly. Customers leave their credit card data at Amazon or PayPal, and the benefits to those merchants are clear -- ease of future transactions which presumably increase sales. There are other valid reasons, such as recurring payments. If a merchant does decide to store the data for a legitimate business reason then they are required to protect it.
What then is the merchant to do?
-- First, have a good set of policies and well-documented business practices. Also encrypt or otherwise protect the data (if the entire card number is stored).
-- Second, have those policies and practices reviewed on a periodic basis (annually at a minimum) by one or more experts in the field. These include law, privacy and security experts.
-- Finally, question yourself over retention in the first place. Is the risk and cost of retention worth the benefits of having the data on hand?
See sidebar for testing procedures.
About the author:
Roger Nebel, CISSP, CISA, works with FTI Consulting, specializing in forensic and litigation consulting. He is based in Washington DC where he leads the Strategic Security practice. Nebel also teaches at the University of Virginia in the graduate information security program. He can be reached at firstname.lastname@example.org. The views expressed in the article are held by the author and are not necessarily representative of FTI Consulting.
This was first published in December 2008