Showing results for 
Search instead for 
Did you mean: 

After authorization, we can retain full track data of a credit card in C# variable. (or on RAM)

I'd like to ask if it is PCI PA-DSS compliant, if I retain a full track data of a 
credit card in C# variable.

For around 10 - 15 minutes, for charging tips.

It means that the track data is on RAM (volatile memory).

In PCI PA-DSS, Article 1.1.1 says that "After authorization, do not store the 
full contents of any track from the magnetic stripe".

The testing procedure of 1.1.1 is to examine 

- Incoming transaction data
Transaction logs
- History files
- Trace files
Non-volatile memory, including non-volatile cache
Debugging and error logs
- Audit logs
- Database schemas and tables
- Database contents

The list does not include RAM. It means that I can retain a track data of a 
credit card in C# variable.

Am I correct?


Your data in RAM can easily be paged out to hard drive if RAM is "full".

Therefore the credit card number can easily end up on the hard drive.

Therefore, I would say 'No"

You have to somehow guarantee that you don't "swap" that RAM to the hard drive...

I'm not an expert; I'm not the guy running the test; I know almost nothing about PCI specifics.

I *do* know that's the answer to most people who think their data is "safe" in RAM.


RAM-sniffers can snoop into your RAM also, but if they've managed to break in that far, you're in trouble anyway...



On windows, we can disable RAM swapping feature. 


I asked a guy from a payment system company. He just keeps saying that "We cannot store the track data in any form even encrypted".


PCI document does not provide any definition of storing. I know that writing the data onto database or file is prohibited. But keeping the data in a programming variable is questionable.


According to the text, if we store the data in C# variable (RAM, volatile memory) after authorization, we will pass the requirement 1.1.1 though.


I really have no idea whom to ask ....


PS. I am developing a restaurant POS System which tries to charge tips after customers leave the table.

Very good question and points by both of you. I honestly couldn't say for fear of giving the wrong answer though!


I would say your best bet would be to check with the PCI Security Council. You can contact them through their website at


I'd be interested to see what they say!





Developer Community Manager

@tanin47  :  I would be interested in finding out how you got around your issue.  We are not a restaurant, but do also require to process tips.  I am thinking that for you, you can use the standard Auth and Auth_Capture routines, but we, unfortunately, due to the business type, are told to refrain from doing so, which is why I am interested in your solution.



-Trevor B