THE DATA

TAKE ACTION TO DROP THE DATA
Eliminating prohibited data should be a business owner’s first priority in taking action against risks to their payment system.
• Check your POS systems. Small businesses that use commercially available POS systems of payment software should contact their vendors to determine whether the systems they use store prohibited data after transaction authorization.
• Ask your POS or payment software vendor (or reseller/integrator) to confirm that your software version does not store magnetic stripe data, CVV2, PINs or encrypted PIN blocks. If it does, these data elements must be removed immediately, including any historical data that has been stored in database or log files.
• Ask your payment software vendor to share a list of files written by the application and a summary of the contents of those files to verify that prohibited data is not stored.
• Confirm with your payment processor that all cardholder data storage is necessary and appropriate for the transaction type.
• Verify that your POS software version has been validated as compliant with the Visa Payment Application Best Practices (PABP) program. Visa created the PABP program to facilitate compliance with the PCI DSS by establishing minimum standards for payment applications. A list of PABP-compliant applications is available at www.visa.com/pabp.
• In addition to knowing what data you store, it’s important to know what your vendors are storing.
• Not every small business owner can be a security expert. Outside vendors can help.
• Simply stated, our message to businesses boils down to “Drop the Data.” It’s important that merchants know exactly what they NEED to store and store ONLY that. Most businesses don’t need to store any payment card data.

HOW TO MINIMIZE DATA STORAGE

It is permissible to store the following data from the magnetic strips:

  • Cardholder's Name
  • Primary Account Number
  • Expiration Date
  • Service Code

These values, which should only be stored if needed, must be protected in accordance with the PCI DSS. Small businesses can limit the damage from a compromoise by not storing magnetic stripe data, CVV2 and PIN blocks. Small business can also decrease their risk by only storing cardholder data if it is needed to perform business functions.

In the end, there is simply no substitute for data security. It is a key component of customer service. All transactions—cash, check, and payment card—carry risk, and the best businesses work to minimize vulnerabilities on behalf of their customers. When customers lose trust in a company’s ability to protect their personal data, they will take their business elsewhere—or worse, abandon a planned transaction altogether. And no business is bad business for all of us.

FOUR SIMPLE STEPS TO ELIMINATE DATA RETENTION

A few steps -- usually easy and affordable -- can help ensure that you are not storing vulnerable security data and confirm that you are adequately protecting the cardholder data that you do store:

  1. CONSULT WITH YOUR TECHNOLOGY VENDOR: Have your technology vendor confirm that you are not storing full track, CVV2 or PIN data; update, patch or change software if it is not PABP-validated.
  2. CONTACT YOUR MERCHANT BANK: Use your bank as a resource for reviewing your technology and data storage practices.
  3. VISIT VISA.COM/PABP: View a list of payment applications that have been validated as being PABP compliant and will help support your compliance.
  4. CONFIRM PCI DSS COMPLIANCE OF YOUR AGENTS: Verify that third-party agents handling cardholder data on your behalf are PCI DSS compliant and listed on Visa's website at www.visa.com/cisp