08-24-12 | Blog Post

PCI Compliant Hosting: Data Storage Guidelines

Blog Posts

Protecting stored cardholder data is the end goal of the PCI DSS (Payment Card Industry Data Security Standards) compliance requirements, and data storage is one important aspect of that goal.

The PCI SSC (Payment Card Industry Security Standards Council) has a handy guide to PCI DSS Data Storage Do’s and Don’ts explaining the best practices for the benefit of merchant and financial institutions that need advice on how to handle customer cardholder data.

When it comes to basic cardholder data storage, the PCI SSC recommends:

  • Merchants must understand the flow of payment card data throughout the entire transaction process
  • Payment card terminals must comply with PCI PIN (Personal ID Number) PTS (Transaction Security) requirements
  • Payment apps must comply with PA-DSS (Payment Application Data Security Standard)
  • Retain cardholder data only if authorized, and ensure its protection
  • Encrypt (use strong cryptography) all stored cardholder data, and use other security technologies to minimize risk
  • Check that all third parties who process cardholder data also comply with PCI standards.

A few ‘data don’ts’ include:

  • Don’t store cardholder unless absolutely necessary (limiting scope of applicable compliance requirements)
  • Don’t store sensitive authentication data found on payment card’s chip or magnetic stripe, including the verification code on the back or front of the card after authorization
  • Don’t allow payment terminals to print out personally identifiable payment card data
  • Don’t have servers outside of locked, fully-secured and access-controlled rooms
  • Don’t allow unauthorized people to access stored cardholder data

PCI Compliant Hosting White PaperAs a basic high-level overview, these guidelines are clear and intent on protecting data from unauthorized access and potential data leakage. A more in-depth analysis of the PCI DSS requirements from a PCI hosting provider perspective can be found in our PCI Compliant Hosting white paper that lists each technical requirement and outlines what a PCI compliant data center should entail. Security and data protection are paramount to merely checking off compliance requirements, and our white paper shows you how to achieve both.

Additional PCI resources you may find helpful:

References:

PCI DSS Data Storage Do’s and Don’ts (PDF)

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved