Hot off the press from the PCI SSC and this month’s Assessor Newsletter.
Is pre-authorization data in scope for PCI DSS?
PCI DSS applies wherever cardholder data (CHD) and/or sensitive authentication data (SAD) is stored, processed or transmitted, irrespective of whether it is pre-authorization or post-authorization. There are no specific rules in PCI DSS regarding how long CHD or SAD can be stored prior to authorization, but such data must be protected according to PCI DSS while being stored, processed or transmitted. Use of PTS-validated payment devices and PA-DSS validated payment applications can support PCI DSS compliance for the protection of data prior to authorization.
With respect to SAD, PCI DSS Requirement 3.2 prohibits storage of SAD AFTER authorization, even if encrypted. Whether SAD is permitted to be stored prior to authorization is determined by the individual payment brands, including any related usage and protection requirements. Any permitted storage of SAD prior to authorization would be subject to strict conditions and controls above those defined in the PCI DSS. Additionally, several payment brands have very specific rules that prohibit any storage of SAD and do not make any exceptions. To determine payment brand requirements, please contact the individual payment brands directly.
There we have it. Pre-authorization data is in-scope with a number of caveats as dictated by the individual card brands.
Just to be clear, I have never argued that pre-authorization data was not to be secured with the same diligence as post-authorization data. I just could not find anything in the PCI DSS that explicitly called out the coverage of pre-authorization data. Past training had always explicitly referenced that the PCI DSS was for data stored after authorization, i.e., post-authorization.
Now I guess I am off to bug the card brands about their pre-authorization data retention rules if they are not posted out on their merchant security Web pages.