PDA

View Full Version : [PA-DSS] 2. Protect stored cardholder data

  1. [PA-DSS] 2.1 Software vendor must provide guidance to customers regarding purging of cardholder data after expiration of customer-defined retention period
  2. [PA-DSS] 2.2 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)
  3. [PA-DSS] 2.3 Render PAN, at a minimum, unreadable anywhere it is stored, (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches
  4. [PA-DSS] 2.4 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts
  5. [PA-DSS] 2.5 Payment application must protect encryption keys used for encryption of cardholder data against disclosure and misuse
  6. [PA-DSS] 2.6 Payment application must implement key management processes and procedures for keys used for encryption of cardholder data
  7. [PA-DSS] 2.7 Securely delete any cryptographic key material or cryptogram stored by previous versions of the payment application, in accordance with industry-accepted standards for secure deletion, as defined, for example the list of approved products maintained by the National Security Agency, or by other State or National standards or regulations. These are cryptographic keys used to encrypt or verify cardholder data