I'd like to ask if it is PCI PA-DSS compliant, if I retain a full track data of a
credit card in C# variable.
For around 10 - 15 minutes, for charging tips.
It means that the track data is on RAM (volatile memory).
In PCI PA-DSS, Article 1.1.1 says that "After authorization, do not store the
full contents of any track from the magnetic stripe".
The testing procedure of 1.1.1 is to examine
- Incoming transaction data
- Transaction logs
- History files
- Trace files
- Non-volatile memory, including non-volatile cache
- Debugging and error logs
- Audit logs
- Database schemas and tables
- Database contents
The list does not include RAM. It means that I can retain a track data of a
credit card in C# variable.
Am I correct?
โ07-29-2010 07:19 PM
Your data in RAM can easily be paged out to hard drive if RAM is "full".
Therefore the credit card number can easily end up on the hard drive.
Therefore, I would say 'No"
You have to somehow guarantee that you don't "swap" that RAM to the hard drive...
I'm not an expert; I'm not the guy running the test; I know almost nothing about PCI specifics.
I *do* know that's the answer to most people who think their data is "safe" in RAM.
PS
RAM-sniffers can snoop into your RAM also, but if they've managed to break in that far, you're in trouble anyway...
โ07-29-2010 08:05 PM
On windows, we can disable RAM swapping feature.
I asked a guy from a payment system company. He just keeps saying that "We cannot store the track data in any form even encrypted".
PCI document does not provide any definition of storing. I know that writing the data onto database or file is prohibited. But keeping the data in a programming variable is questionable.
According to the text, if we store the data in C# variable (RAM, volatile memory) after authorization, we will pass the requirement 1.1.1 though.
I really have no idea whom to ask ....
PS. I am developing a restaurant POS System which tries to charge tips after customers leave the table.
โ07-29-2010 09:40 PM - edited โ07-29-2010 09:41 PM
Very good question and points by both of you. I honestly couldn't say for fear of giving the wrong answer though!
I would say your best bet would be to check with the PCI Security Council. You can contact them through their website at https://www.pcisecuritystandards.org/index.shtml.
I'd be interested to see what they say!
Thanks,
Michelle
Developer Community Manager
โ07-30-2010 03:02 PM
@tanin47 : I would be interested in finding out how you got around your issue. We are not a restaurant, but do also require to process tips. I am thinking that for you, you can use the standard Auth and Auth_Capture routines, but we, unfortunately, due to the business type, are told to refrain from doing so, which is why I am interested in your solution.
Regards,
-Trevor B
โ07-03-2012 11:15 AM