security number held
Matthew Pemble
ukcrypto at chiark.greenend.org.uk
Thu, 3 Apr 2008 14:26:33 +0100
------=_Part_1266_7278082.1207229193984
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
A tricky one - under PCI-DSS Req 3.2, they should not store the card
validation code (3.2.2) subsequent to authorisation. They might claim that
they had not yet got auth, you could also, from a process p.o.v, claim that
they had received authorisation and it was "Declined. Incorrect card
details."
There is a necessity to temporarily store the CVV2 (or similar) when
authorisation blocks are being queued for transmission to the merchant
acquirer (or, having been transmitted, are awaiting confirmation of receipt
- which will generally be the auth / dec message). I, like you, am
surprised that the CVV was accessible to the customer service team.
I would note that the audit instructions require you to sample "incoming
transaction data" as well as other areas for inappropriately stored
"sensitive authentication data."
Matthew
On 03/04/2008, Ricky Rankin <r.rankin@qub.ac.uk> wrote:
>
> Just ordered something over internet from Curry's.
>
> Was contacted that they had a problem confirming the order - they had
> wrong expiry date.
>
> However during the conversation they were able to give me the first and
> last four digits of the card number - for security they didn't hold the
> middle 8.
>
> They were able to give me the 3 digit security number - I thought that
> they were not allowed to store this
>
> Ricky
> ______________________
> Principal Analyst
> Information Services
> Queen's University Belfast
>
> tel: 02890 974824
> fax: 02890 976586
> email: r.rankin@qub.ac.uk
>
>
>
>
>
>
>
------=_Part_1266_7278082.1207229193984
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
A tricky one - under PCI-DSS Req 3.2, they should not store the card validation code (3.2.2) subsequent to authorisation. They might claim that they had not yet got auth, you could also, from a process p.o.v, claim that they had received authorisation and it was "Declined. Incorrect card details."<br>
<br>There is a necessity to temporarily store the CVV2 (or similar) when authorisation blocks are being queued for transmission to the merchant acquirer (or, having been transmitted, are awaiting confirmation of receipt - which will generally be the auth / dec message). I, like you, am surprised that the CVV was accessible to the customer service team.<br>
<br>I would note that the audit instructions require you to sample "incoming transaction data" as well as other areas for inappropriately stored "sensitive authentication data."<br><br>Matthew<br><br><div>
<span class="gmail_quote">On 03/04/2008, <b class="gmail_sendername">Ricky Rankin</b> <<a href="mailto:r.rankin@qub.ac.uk" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">r.rankin@qub.ac.uk</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Just ordered something over internet from Curry's.<br> <br> Was contacted that they had a problem confirming the order - they had wrong expiry date.<br> <br> However during the conversation they were able to give me the first and last four digits of the card number - for security they didn't hold the middle 8.<br>
<br> They were able to give me the 3 digit security number - I thought that they were not allowed to store this<br> <br> Ricky<br> ______________________<br> Principal Analyst<br> Information Services<br> Queen's University Belfast<br>
<br> tel: 02890 974824<br> fax: 02890 976586<br> email: <a href="mailto:r.rankin@qub.ac.uk" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">r.rankin@qub.ac.uk</a><br> <br> <br> <br> <br> <br> <br>
</blockquote></div><br>
------=_Part_1266_7278082.1207229193984--