https://community.developer.cybersource.com/t5/Integration-and-Testing/After-authorization-we-can-retain-full-track-data-of-a-credit/m-p/27662#M14617 <P>@tanin47&nbsp; :&nbsp; I would be interested in finding out how you got around your issue.&nbsp; We are not a restaurant, but do also require to process tips.&nbsp; I am thinking that for you, you can use the standard Auth and Auth_Capture routines, but we, unfortunately, due to the business type, are told to refrain from doing so, which is why I am interested in your solution.</P><P>&nbsp;</P><P>Regards,</P><P>-Trevor B</P> Tue, 03 Jul 2012 18:15:55 GMT TrevorB 2012-07-03T18:15:55Z https://community.developer.cybersource.com/t5/Integration-and-Testing/After-authorization-we-can-retain-full-track-data-of-a-credit/m-p/4321#M3856 <P>I'd like to ask if it is PCI PA-DSS compliant, if I retain a full track data of a&nbsp;<BR />credit card in C# variable.<BR /><BR />For around 10 - 15 minutes, for charging tips.<BR /><BR />It means that the track data is on RAM (<SPAN class="yshortcuts">volatile memory</SPAN>).<BR /><BR />In PCI PA-DSS, Article 1.1.1 says that "After authorization, do not store the&nbsp;<BR />full contents of any track from the magnetic stripe".<BR /><BR />The testing procedure of 1.1.1 is to examine&nbsp;<BR /><BR />- Incoming transaction data<BR />-&nbsp;<SPAN class="yshortcuts">Transaction logs</SPAN><BR />- History files<BR />- Trace files<BR />-&nbsp;<SPAN class="yshortcuts">Non-volatile memory</SPAN>, including non-volatile cache<BR />-&nbsp;<SPAN class="yshortcuts">Debugging</SPAN>&nbsp;and error logs<BR />- Audit logs<BR />- Database schemas and tables<BR />- Database contents<BR /><BR />The list does not include RAM. It means that I can retain a track data of a&nbsp;<BR />credit card in C# variable.<BR /><BR />Am I correct?</P> Fri, 30 Jul 2010 02:19:40 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/After-authorization-we-can-retain-full-track-data-of-a-credit/m-p/4321#M3856 tanin47 2010-07-30T02:19:40Z https://community.developer.cybersource.com/t5/Integration-and-Testing/After-authorization-we-can-retain-full-track-data-of-a-credit/m-p/4325#M3858 <P>Your data in RAM can easily be paged out to hard drive if RAM is "full".</P><P>Therefore the credit card number can easily end up on the hard drive.</P><P>Therefore, I would say 'No"</P><P>You have to somehow guarantee that you don't "swap" that RAM to the hard drive...</P><P>I'm not an expert; I'm not the guy running the test; I know almost nothing about PCI specifics.</P><P>I *do* know that's the answer to most people who think their data is "safe" in RAM.</P><P>PS</P><P>RAM-sniffers can snoop into your RAM also, but if they've managed to break in that far, you're in trouble anyway...</P><P>&nbsp;</P> Fri, 30 Jul 2010 03:05:31 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/After-authorization-we-can-retain-full-track-data-of-a-credit/m-p/4325#M3858 RichardLynch 2010-07-30T03:05:31Z https://community.developer.cybersource.com/t5/Integration-and-Testing/After-authorization-we-can-retain-full-track-data-of-a-credit/m-p/4329#M3860 <P>On windows, we can disable RAM swapping feature.&nbsp;</P><P>&nbsp;</P><P>I asked a guy from a payment system company. He just keeps saying that "We cannot store the track data in any form even encrypted".</P><P>&nbsp;</P><P>PCI document does not provide any definition of storing. I know that writing the data onto database or file is prohibited. But keeping the data in a programming variable is questionable.</P><P>&nbsp;</P><P>According to the text, if we store the data in C# variable (RAM, volatile memory) after authorization, we will pass the requirement 1.1.1 though.</P><P>&nbsp;</P><P>I really have no idea whom to ask ....</P><P>&nbsp;</P><P>PS. I am developing a restaurant POS System which tries to charge tips after customers leave the table.</P> Fri, 30 Jul 2010 04:41:52 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/After-authorization-we-can-retain-full-track-data-of-a-credit/m-p/4329#M3860 tanin47 2010-07-30T04:41:52Z https://community.developer.cybersource.com/t5/Integration-and-Testing/After-authorization-we-can-retain-full-track-data-of-a-credit/m-p/4359#M3874 <P>Very good question and points by both of you. I honestly couldn't say for fear of giving the wrong answer though!</P> <P>&nbsp;</P> <P>I would say your best bet would be to check with the PCI Security Council. You can contact them through their website at <A href="https://www.pcisecuritystandards.org/index.shtml" target="_blank" rel="nofollow">https://www.pcisecuritystandards.org/index.shtml</A>.</P> <P>&nbsp;</P> <P>I'd be interested to see what they say!</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Michelle</P> <P>Developer Community Manager</P> Fri, 30 Jul 2010 22:02:34 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/After-authorization-we-can-retain-full-track-data-of-a-credit/m-p/4359#M3874 Michelle 2010-07-30T22:02:34Z https://community.developer.cybersource.com/t5/Integration-and-Testing/After-authorization-we-can-retain-full-track-data-of-a-credit/m-p/27662#M14617 <P>@tanin47&nbsp; :&nbsp; I would be interested in finding out how you got around your issue.&nbsp; We are not a restaurant, but do also require to process tips.&nbsp; I am thinking that for you, you can use the standard Auth and Auth_Capture routines, but we, unfortunately, due to the business type, are told to refrain from doing so, which is why I am interested in your solution.</P><P>&nbsp;</P><P>Regards,</P><P>-Trevor B</P> Tue, 03 Jul 2012 18:15:55 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/After-authorization-we-can-retain-full-track-data-of-a-credit/m-p/27662#M14617 TrevorB 2012-07-03T18:15:55Z