Educause Security Discussion mailing list archives
PCI question
From: Mike Cunningham <mike.cunningham () PCT EDU>
Date: Wed, 16 Aug 2017 18:26:48 +0000
We have(had) a process that stored credit card numbers, expiration and CVV codes locally (encrypted) for a few days while the office needing the information worked on processing the charge (for reasons I can't go into in a short email they were not able to do real time validation and charging). We recently tokenized the data so the card number and expiration date are now immediate sent to a PCI approved cloud service who stores the info and we retrieve it when needed using a token. When we made this change we found that the cloud service will not store and return the CVV code. It will only store and return the card number and expiration date. But we need the CVV to process the charge. So for now we left the CVV code stored locally (encrypted) and so have access to process the transaction. Once the charge is process we do remove the CVV code from local storage. While we were working on this we were told that storing the CVV the way we are is a violation of PCI guidelines. We have found conflicting data online. Some places say you can't store it, others say you can't store it after authorization. We are not keeping it after authorization but we are storing it for a short period of time. I know the regulations don't speak to volume of transactions the way they use to but we do only store at most 10 transactions at any time before they get processed. Does anyone have an opinion on which way to read the PCI regulations? If we really can't store the CVV local and the cloud service can't store it either is there anything we can do or is our only choice to change business process and do an immediate charge to the card? Thanks Mike Cunningham Pennsylvania College of Technology ________________________________ This email may contain confidential information about a Pennsylvania College of Technology student. It is intended solely for the use of the recipient. This email may contain information that is considered an "educational record" subject to the protections of the Family Educational Rights and Privacy Act Regulations. The regulations may be found at 34 C.F.R. Part 99 for your reference. The recipient may only use or disclose the information in accordance with the requirements of the Federal Educational Rights and Privacy Act Regulations. If you have received this transmission in error, please notify the sender immediately and permanently delete the email.
Current thread:
- PCI question Mike Cunningham (Aug 16)
- Re: PCI question Penn, Blake C (Aug 16)
- <Possible follow-ups>
- Re: PCI question Murphy, Jeffrey (Aug 16)
- Re: PCI question Lazarus, Carolann (Aug 18)