Hello everyone,
We may be a little behind the curve on this one but our team is really trying to nail down our organization with respect to the PCI specification. With respect to Requirement 3 (cardholder data) I was wondering how everyone else is handling this. More specifically:
-How long are you holding onto the full credit card #s?
-Who has access?
-What is your purge process and how often?
-Does anyone do a purge of the credit card number but keep the last 4 for later reference or something similar?
I also wonder if anyone might have already developed a tool/script for removing or putting in dummy CC# in their Test system as part of their copy-down proceedure.
Any and all tips and comments are welcome.
Thanks to everyone in advance!
Sean Pinto
Center Theatre Group
213.972.7292
spinto@ctgla.org
Sean,
We have been through the headache that is PCI compliance, I feel your pain but there is light at the end of the tunnel. We do not purge our system, I don't know of a requirement that says you need to. We do truncate the t_account_data table when we replicate our live environment into our test or conversion environment to minimize risk. Anyone who uses Tessitura has access to the credit card data however we have it setup so they can only see the last 4 digits of the card number through the application. The only person who can view the entire credit card number is the DBA and that is only if a script is ran to decrypt the data. Also know that if the database is restored to another server and those database keys are not present no amount of scripting will allow you to view the data.
The script I use to delete the data out of test or conversion is truncate table t_account_data. All test data entered is via a person via the web or the client, we do not script entry into this table. You can use the web API testing harness to do this in mass via the web. I believe it is on TASK.
Hope this helps!
Naomi