I just wanted to pass along what I have heard thus far on this topic from the various card brands. I’ll keep updating this post as I get more responses.
American Express (aka Trustwave) came back with the following.
“Per your inquiry regarding the storage of pre-authorized data, from what I can tell the American Express DSOP program currently does not address this topic. However, both the PCI SSC and the card brands (including American Express) have made it abundantly clear that pre-authorization data is to be protected with the same zeal as post-authorization data. That means encrypting it and restricting access to it. The reason the PCI SSC has not issued any directives regarding pre-authorization data yet is that it is a complicated environment and cannot be dealt with in a simple manner with the same approach working for all occurrences.
So, while pre-authorization data seemingly is not covered by the PCI DSS/DSOP programs at this time, you must do everything you can to protect it.
I hope this somewhat answers your question. I plan on doing more research to find any official documentation regarding the subject.”
MasterCard International followed up with their response.
“Merchants should talk with their acquirers to determine the pre-authorization rules particular to their vertical market and region.”
Visa quoted their Visa International Operating Regulations manual; section Account and Transaction Information Security Requirements VIOR 2.1.E (Updated):
“Ensure that all agents and Merchants do not store any of the following, subsequent to Authorization:
– Full contents of any data taken from the Magnetic Stripe (on a Card, in a Chip, or elsewhere)
– Card Verification Value 2 used to verify Card-Absent Transactions
– PIN or the encrypted PIN block”
Discover has come back with the following.
“Currently the following restrictions apply:
(a) Sensitive Authentication Data obtained in connection with a Card Transaction must not be retained after receipt of an Authorization Response.
(b) Sensitive Authentication Data must not be recorded on Transaction Documentation or any other records or evidence of Card Transaction.
(c) Any processing, transmission, or storage of Cardholder Data must be conducted in accordance with PCI DSS requirements.”
JCB is still to be heard from.
I was deeply disappointed with MasterCard’s response. Acquiring banks, for the most part, cannot answer basic questions about the PCI DSS, so we are supposed to believe that they are experts on retention of pre-authorization data based on a company’s vertical market and region? Talk about passing the buck.
I am also surprised that I have yet to see any of the supposedly “very specific rules that prohibit any storage of sensitive authentication data (SAD) and do not make any exceptions.” Not that I was expecting any as the Council has a tendency of making a mountain out of a molehill at times.
Based on the responses, I would highly recommend that merchants take American Express’ advice and protect pre-authorization data with the same voracity as they do with post-authorization data.