The rules about keeping 16-digit card numbers, CVV, and expiration dates.
 |
| By: Brand Barney |
SEE ALSO: Infographic: 63% of Businesses Don't Encrypt Credit Cards
Everyone loves fails, am I right? Here’s a great (and true) security fail to illustrate bad card data storage.
One of my colleagues visited a customer to get some information about how they processed their credit cards. They told him how their secretary had a secure way of storing the inner-office credit cards. The secretary proudly explained, “Well, first I put all the card numbers and expiration dates in an Excel spreadsheet. Then I grab the column and scroll it over and it ‘encrypts’!”
 |
| Encryption fail... |
Bless her heart. That secretary thought she had “encrypted” their credit cards because they showed up as a line of asterisks.
Watch the video to learn more about what card data you can and can’t store.
Want to see more vids like this? Subscribe on YouTube for more security tips.
Let me summarize.
If it’s encrypted: here’s what you’re allowed to store:
- PAN (Primary Account Number) (e.g., 16 digit number on front of card)
- Cardholder name (e.g., John Smith)
- Expiration date (e.g., 5/18)
- Service code (Note: You can’t actually see this data on a physical card because it resides in the magnetic stripe)
Even if it’s encrypted, you can NEVER store:
- Sensitive authentication data (i.e., full magnetic stripe info)
- PIN
- PIN block (i.e., the encrypted PIN)
- Card validation value (CVV), also known as three/four-digit service code or card security code
Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.
Brand Barney (CISSP) is a Security Analyst at SecurityMetrics and has over 10 years of compliance, data security, and database management experience. Follow him on Twitter and check out his other blog posts.