PCI/DSS: Data at Rest
https://stackoverflow.com/questions/1058680
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Would you consider the use of caching products in the category of data at rest?
Solution
This is a complex issue, but anything that is held for over 24 hours is considered as "storage" and is under strict controls about how card data is handled - No CV2 for example.
But you also the data must be on its way to the card transaction and not in the return path after the transaction.
You probably need to discuss your specific example and exactly what use of which bits of card data you are concerned about with your QSA
OTHER TIPS
Yes. It doesn't matter what the product is, if it stores, processes or transmits payment card data then it is within scope of PCI-DSS.
Having said that, if your cacheing device only stores encrypted data and doesn't have access to any keys used for decryption then you should be able to agree with your QSA that it is out of scope for your assessment.
If it does handle unencrypted payment card data, or if it has access to decryption keys then you will have to implement at least a sub-set of the PCI-DSS controls for the cacheing devices.
Agreed this is complex, but based on my understanding, there is a couple of principals you can draw from in PCI-DSS:
- Card holder data must be encrypted when being transmitted over an open network. So if you have a local cache and the data from the cache is to be transmitted over an open network, thats an area you will have to address.
- Store only what you need. If you dont need some parts of the the card holder data, including CV2, expiry then dont store it even if its being stored in what cant be considered data at rest.
Its seems in my view that if your cache is storing card holder data, its going against the grain of the standard. The intention in relation to data storage (amoungst others) is to limit storage, use, transmission to only where actually required for sensitive data. Without further details from you on your cache content, I cant imagine why you need to cache sensitive data.
I certainly agree with Mr Cheekysoft in that you should be open and discuss with your QSA as I am sure he/she once enlightened on the details will be able to provide you with some guidance.
