October 9th, 2007 by Jamie Estep
A solution for PCI compliance – Stop storing data…
Filed in: Fraud | 2 comments
Computer world magazine just published an article regarding the move for all businesses that accept credit cards to become PCI compliant.
This article covers the basic fact that retail store owners are required to store receipts with full credit card numbers on them for 18 months (they are in case you didn’t know!).
The problem with the whole system which is clearly outlined in the article, is that if card numbers were never stored, there wouldn’t be any need for PCI compliance. Since they are required to be stored by Visa and MasterCard, the system simply perpetuates itself.
From the PCI DSS document itself:
“PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or
transmitted.”
Processing and transmission is still a concern. It’s not only about storage.
(If you refer to handing the processing and transmission part to a third party, then I’m sure storage be handled the same.)
p.s. On a related note, retail stores are quite amazing. I was recently in a supermarket in Prague (Tesco possibly?). After paying, I was about to throw my receipt away. One of our security guys took it out of curiosity and found that the system they had built/installed printed full credit card numbers onto receipts.
there wouldn’t be any need for PCI compliance. Since they are required to be stored by Visa and MasterCard, the system simply perpetuates itself.