Hello everyone,
We may be a little behind the curve on this one but our team is really trying to nail down our organization with respect to the PCI specification. With respect to Requirement 3 (cardholder data) I was wondering how everyone else is handling this. More specifically:
-How long are you holding onto the full credit card #s?
-Who has access?
-What is your purge process and how often?
-Does anyone do a purge of the credit card number but keep the last 4 for later reference or something similar?
I also wonder if anyone might have already developed a tool/script for removing or putting in dummy CC# in their Test system as part of their copy-down proceedure.
Any and all tips and comments are welcome.
Thanks to everyone in advance!
Sean Pinto
Center Theatre Group
213.972.7292
spinto@ctgla.org
Sean,
We have been through the headache that is PCI compliance, I feel your pain but there is light at the end of the tunnel. We do not purge our system, I don't know of a requirement that says you need to. We do truncate the t_account_data table when we replicate our live environment into our test or conversion environment to minimize risk. Anyone who uses Tessitura has access to the credit card data however we have it setup so they can only see the last 4 digits of the card number through the application. The only person who can view the entire credit card number is the DBA and that is only if a script is ran to decrypt the data. Also know that if the database is restored to another server and those database keys are not present no amount of scripting will allow you to view the data.
The script I use to delete the data out of test or conversion is truncate table t_account_data. All test data entered is via a person via the web or the client, we do not script entry into this table. You can use the web API testing harness to do this in mass via the web. I believe it is on TASK.
Hope this helps!
Naomi
We purge CC# after 12 months of non use,
Only Tessitura Administrators have access to the full number and this is only because we can't turn this off in security for Administrators.
We use Tessitura's Purge process in reports and utilities/Data Management/Purge Credit Card Account Data
We do not keep the last 4 after purge, We really just don't need them after 12 months.
I am sure that during the Live to Test copy, you could run the "Purge Credit Card..." procedure to remove the Credit card numbers.
Hope this helps.
Marty Jones
Database Administrator
Omaha Performing Arts 1200 Douglas Street
Omaha, Nebraska 68102
P 402.661.8469 | F 402.345.0222
Marty.Jones@omahaperformingarts.org
www.omahaperformingarts.org
For tickets, call Ticket Omaha at 402.345.0606
From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Sean Pinto Sent: Wednesday, September 01, 2010 12:11 PM To: Martin A. Jones Subject: [Tessitura Technical Forum] PCI Questions
This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!
We're heavy into PCI right now as well so this is very timely!
We've asked our financial auditors to weigh in on this but haven't gotten an answer yet. I suspect we won't hold data for any more than a year and it may very well be less. The PCI requirement says: "3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy," so it's definitely open to interpretation.
Only our admins and 1 person in Finance have access to the full credit card numbers.
We plan to purge using the utility supplied by Tessitura and will probably do it quarterly.
I haven't looked at the utility in detail. If it allows us to do this we probably will. If not I'm sure we can live without.
Kjersten
We do an annual purge, using the stored procedure. Our purpose in keeping credit card numbers is to facility refunds, particularly bulk refunds on cancelled shows, so we wait until after the last show of our season to do this. However, at that point we will have already begin sales on our next season, so we set the parameters to purge all cards that have not been used within the period of our new season onsale.