cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

After authorization, we can retain full track data of a credit card in C# variable. (or on RAM)

I'd like to ask if it is PCI PA-DSS compliant, if I retain a full track data of a 
credit card in C# variable.

For around 10 - 15 minutes, for charging tips.

It means that the track data is on RAM (volatile memory).

In PCI PA-DSS, Article 1.1.1 says that "After authorization, do not store the 
full contents of any track from the magnetic stripe".

The testing procedure of 1.1.1 is to examine 

- Incoming transaction data
Transaction logs
- History files
- Trace files
Non-volatile memory, including non-volatile cache
Debugging and error logs
- Audit logs
- Database schemas and tables
- Database contents

The list does not include RAM. It means that I can retain a track data of a 
credit card in C# variable.

Am I correct?

tanin47
Member
4 REPLIES 4

Your data in RAM can easily be paged out to hard drive if RAM is "full".

Therefore the credit card number can easily end up on the hard drive.

Therefore, I would say 'No"

You have to somehow guarantee that you don't "swap" that RAM to the hard drive...

I'm not an expert; I'm not the guy running the test; I know almost nothing about PCI specifics.

I *do* know that's the answer to most people who think their data is "safe" in RAM.

PS

RAM-sniffers can snoop into your RAM also, but if they've managed to break in that far, you're in trouble anyway...

 

RichardLynch
Member

On windows, we can disable RAM swapping feature. 

 

I asked a guy from a payment system company. He just keeps saying that "We cannot store the track data in any form even encrypted".

 

PCI document does not provide any definition of storing. I know that writing the data onto database or file is prohibited. But keeping the data in a programming variable is questionable.

 

According to the text, if we store the data in C# variable (RAM, volatile memory) after authorization, we will pass the requirement 1.1.1 though.

 

I really have no idea whom to ask ....

 

PS. I am developing a restaurant POS System which tries to charge tips after customers leave the table.

Very good question and points by both of you. I honestly couldn't say for fear of giving the wrong answer though!

 

I would say your best bet would be to check with the PCI Security Council. You can contact them through their website at https://www.pcisecuritystandards.org/index.shtml.

 

I'd be interested to see what they say!

 

Thanks,

 

Michelle

Developer Community Manager

@tanin47  :  I would be interested in finding out how you got around your issue.  We are not a restaurant, but do also require to process tips.  I am thinking that for you, you can use the standard Auth and Auth_Capture routines, but we, unfortunately, due to the business type, are told to refrain from doing so, which is why I am interested in your solution.

 

Regards,

-Trevor B