Hot off the press from the PCI SSC and this month’s Assessor Newsletter.
Is pre-authorization data in scope for PCI DSS?
PCI DSS applies wherever cardholder data (CHD) and/or sensitive authentication data (SAD) is stored, processed or transmitted, irrespective of whether it is pre-authorization or post-authorization. There are no specific rules in PCI DSS regarding how long CHD or SAD can be stored prior to authorization, but such data must be protected according to PCI DSS while being stored, processed or transmitted. Use of PTS-validated payment devices and PA-DSS validated payment applications can support PCI DSS compliance for the protection of data prior to authorization.
With respect to SAD, PCI DSS Requirement 3.2 prohibits storage of SAD AFTER authorization, even if encrypted. Whether SAD is permitted to be stored prior to authorization is determined by the individual payment brands, including any related usage and protection requirements. Any permitted storage of SAD prior to authorization would be subject to strict conditions and controls above those defined in the PCI DSS. Additionally, several payment brands have very specific rules that prohibit any storage of SAD and do not make any exceptions. To determine payment brand requirements, please contact the individual payment brands directly.
There we have it. Pre-authorization data is in-scope with a number of caveats as dictated by the individual card brands.
Just to be clear, I have never argued that pre-authorization data was not to be secured with the same diligence as post-authorization data. I just could not find anything in the PCI DSS that explicitly called out the coverage of pre-authorization data. Past training had always explicitly referenced that the PCI DSS was for data stored after authorization, i.e., post-authorization.
Now I guess I am off to bug the card brands about their pre-authorization data retention rules if they are not posted out on their merchant security Web pages.
Any one has a feedback on the payment brand requirements for pre-authorized SAD storage ?
I am waiting for all of the card brands to respond so that I can post an update. I have only heard back from AmEx and MasterCard.
This won’t change much for most applications, I think. However, this could change a lot for many places that previously thought that PCI did not apply to them because they only stored, processed or transmitted pre-auth CHD. I can imagine a lot of companies today just went “Uh Oh!”.