admin · #1 03-18-2007, 02:42 AM

1.1.5 Securely delete any sensitive authentication data (pre-authorization data) used for debugging or troubleshooting purposes from log files, debugging files, and other data sources received from customers, to ensure that magnetic stripe data, card validation codes or values, and PINS or PIN block data are not stored on software vendor systems. These data sources must be collected in limited amounts and only when necessary to resolve a problem, encrypted while stored, and deleted immediately after use.

PCI Data Security Standard Requirement 3.2

Testing Procedures:

1.1.5.a Examine the software vendor's procedures for troubleshooting customers's problems and verify the procedures include:

Collection of sensitive authentication data only when needed to solve a specific problem
Storage of such data in a specific, known location with limited access
Collection of only a limited amount of data needed to solve a specific problem
Encryption of sensitive authentication data while stored
Secure deletion of such data immediately after use.

1.1.5.b Select a sample of recent troubleshooting requests from customers, and verify each event followed the procedure examined at 1.1.6.a.

1.1.5.c Review the PA-DSS Implementation Guide prepared by the vendor and verify the documentation includes the following instructions for customers and resellers/integrators:

Collect sensitive authentication only when needed to solve a specific problem
Store such data only in specific, known locations with limited access
Collect only the limited amount of data needed to solve a specific problem
Encrypt sensitive authentication data while stored
Securely delete such data immediately after use.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode