Nothing causes more confusion than the discussion of pre-authorization data. To add to the confusion, the PCI DSS is only relevant for post-authorization data. In fact, the PCI SSC has a special working group that is developing the standards for pre-authorization data. And if that is not enough, most people are totally unaware of the concept of pre-authorization data and yet all of us run into it every day.
The first comment I usually get regarding pre-authorization is where do I get the idea that the PCI DSS does not cover pre-authorization data? At the very first PCI Community Meeting, there was a whole hour long session devoted to pre-authorization data. It was at this session that the card brands stated that pre-authorization data was not covered by the PCI DSS. And if you read the PCI DSS, it deals only with the processing, transmission and storage or cardholder data. While all of these activities occur during the pre-authorization phase, if you really read the PCI DSS, all of the language refers to the transaction after it has been authorized. However, the current release of the PA-DSS does address pre-authorization data and its protection.
The most common example of pre-authorization data is at your local gas station or convenience store. When you go to fill up your vehicle and you use a credit card, you swipe your card before you ever pump a drop of fuel. Have you ever wondered what goes on between that card swipe and you complete filling your vehicle?
When you swipe your credit card, the track data is read and a pre-authorization transaction is sent through to the gas station’s processor for some fixed amount, typically the amount is for approximately $75, more if the station is on an Interstate highway. This is done to ensure that your credit card has enough left on its limit to pay for your fill up. Once you complete filling your tank, the pump completes the transaction by submitting the actual cost of the fuel to the processor and the transaction is completed. However, all the while that you were filling your tank with fuel, the station’s computer system has your credit card data until the transaction is completed. Until your transaction is approved or declined, the data is considered pre-authorization data.
Another example of pre-authorization data is when you check into a hotel. When you make your reservation, you provided a credit card for the hotel to guarantee your reservation. Whether through the hotel’s call center, Web site or the location itself, your credit card information is maintained on file so that you can be charged if you fail to cancel the reservation.
When you finally check in, the front desk clerk swipes your card as part of the check in process. Based on the number of nights you are staying and some other guest averages, the hotel again issues a pre-authorization transaction to their processor to make sure your credit card will be able to take care of the likely charges for your stay. All of this is considered pre-authorization. Your credit card information is not cleared from the hotel’s system until you check out. As a result, your credit card data can be in the hotel’s systems from a few weeks or months to even years.
There are other examples, but I think you have the picture. Again, while the PCI DSS currently does not address pre-authorization data, the PCI SSC and the card brands have made it abundantly clear that pre-authorization data is to be protected with the same zeal as post-authorization data. That means encrypting it and restricting access to it. The reason the PCI SSC has not issued any directives regarding pre-authorization data yet is that it is a complicated environment and cannot be dealt with in a simple manner with the same approach working for all occurrences.
So, while pre-authorization data is not covered by the PCI DSS, you must do everything you can to protect it.