PCI Questions

We're heavy into PCI right now as well so this is very timely!

-How long are you holding onto the full credit card #s?

  We've asked our financial auditors to weigh in on this but haven't gotten an answer yet.  I suspect we won't hold data for any more than a year and it may very well be less.  The PCI requirement says: "3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy," so it's definitely open to interpretation.

-Who has access?

  Only our admins and 1 person in Finance have access to the full credit card numbers.

-What is your purge process and how often?

  We plan to purge using the utility supplied by Tessitura and will probably do it quarterly.

-Does anyone do a purge of the credit card number but keep the last 4 for later reference or something similar?

  I haven't looked at the utility in detail.  If it allows us to do this we probably will.  If not I'm sure we can live without.

Kjersten

We do an annual purge, using the stored procedure.  Our purpose in keeping credit card numbers is to facility refunds, particularly bulk refunds on cancelled shows, so we wait until after the last show of our season to do this.  However, at that point we will have already begin sales on our next season, so we set the parameters to purge all cards that have not been used within the period of our new season onsale.

We do an annual purge, using the stored procedure.  Our purpose in keeping credit card numbers is to facility refunds, particularly bulk refunds on cancelled shows, so we wait until after the last show of our season to do this.  However, at that point we will have already begin sales on our next season, so we set the parameters to purge all cards that have not been used within the period of our new season onsale.