2.4 PA-DSS Guidelines
5
of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and
magnetic-stripe data.
In the normal course of business, the following data elements from the magnetic stripe may need to be retained:
• The accountholders name,
• Primary account number (PAN),
• Expiration date, and
• Service code
• To minimize risk, store only those data elements needed for business.
Note: See PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for additional information. PCI
Data Security Standard Requirement 3.2.1
1.1.2 After authorization, do not store the card-validation value or code (three-digit or four-digit number printed on
the front or back of a payment card) used to verify card-not-present transactions. Note: See PCI DSS and P
←
-
A-DSS Glossary of Terms, Abbreviations, and Acronyms for additional information. PCI Data Security Standard
Requirement 3.2.2
1.1.3 After authorization, do not store the personal identification number (PIN) or the encrypted PIN block.
Note: See PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for additional information. PCI
Data Security Standard Requirement 3.2.3
1.1.4 Securely delete any magnetic stripe data, card validation values or codes, and PINs or PIN block data stored
by previous versions of the payment application, in accordance with industry-accepted standards for secure deletion,
as defined, for example by the list of approved products maintained by the National Security Agency, or by other
State or National standards or regulations. PCI Data Security Standard Requirement 3.2
Note: This requirement only applies if previous versions of the payment application stored sensitive authentication
data.
1.1.5 Securely delete any sensitive authentication data (pre-authorization data) used for debugging or troubleshoot-
ing purposes from log files, debugging files, and other data sources received from customers, to ensure that mag-
netic stripe data, card validation codes or values, and PINs or PIN block data are not stored on software vendor
systems. These data sources must be collected in limited amounts and only when necessary to resolve a problem,
encrypted while stored, and deleted immediately after use. PCI Data Security Standard Requirement 3.2
2. Protect stored cardholder data
2.1 Software vendor must provide guidance to customers regarding purging of cardholder data after expiration of
customer-defined retention period. PCI Data Security Standard Requirement 3.1
2.2 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).
Notes:
• This requirement does not apply to those employees and other parties with a legitimate business need to see
full PAN;
• This requirement does not supersede stricter requirements in place for displays of cardholder datafor exam-
ple, for point-of-sale (POS) receipts. PCI Data Security Standard Requirement 3.3
2.3 Render PAN, at a minimum, unreadable anywhere it is stored, (including data on portable digital media, backup
media, and in logs) by using any of the following approaches:
• One-way hashes based on strong cryptography with associated key management processes and procedures
• Truncation
IDTech Windows SDK Guide for Kiosk III/IV #80136501-001