On Thu, 16 Feb 2012, Phil Pennock wrote:
On 2012-02-16 at 20:20 -0800, Dave Close wrote:
Ok, so they convert the number to their own "Guest ID". But that would
be a one-time conversion unless they keep a map. And if they have a map,
isn't that keeping the card number?
Use a hash of the card number as the key for the map.
It's actually not against PCI to store the credit card number, but if you
do keep the credit card number it puts you in a different category of PCI
requirements and the protections you put around the card numbers (and the
systems and networks that contain them) become much, much more severe.
If you think about it, any company that bills your credit card number
repeatedly needs to store the number so it doesn't ask you for it each
time.
Some people 'outsource' this to a third party and just store a ticket that
the third party can then map to the real card for the next billing cycle,
but that third party is storing the card numbers.
If you are a big enough business, it may make sense to do this internally
instead of using a third party.
David Lang
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
