Would you consider the use of caching products in the category of data at rest?
A:
This is a complex issue, but anything that is held for over 24 hours is considered as "storage" and is under strict controls about how card data is handled - No CV2 for example.
But you also the data must be on its way to the card transaction and not in the return path after the transaction.
You probably need to discuss your specific example and exactly what use of which bits of card data you are concerned about with your QSA
Cheekysoft
2009-06-30 10:36:05
A:
Agreed this is complex, but based on my understanding, there is a number of principals you can draw from in PCI-DSS:
- Card holder data must be encrypted when being transmitted over an open network. So if you have a local cache and the data from the cache is to be transmitted over an open network, thats an area you will have to address.
- Store only what you need. If you dont need some parts of the the card holder data, including CV2, expiry then dont store it even if its being stored in what cant be considered data at rest.
Its seems in my view that if your cache is storing card holder data, its going against the grain of the standard. The intention in relation to data storage (amoungst others) is to limit storage, use, transmission to only where actually required for sensitive data. Without further details from you on your cache content, I cant imagine why you need to cache sensitive data.
I certainly agree with Mr Cheekysoft in that you should be open and discuss with your QSA as I am sure he/she once enlightened on the details will be able to provide you with some guidance.
miltonb
2010-04-15 10:38:52