1.1.1 After authorization, do not store the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data.
In the normal course of business, the following data elements from the magnetic stripe may need to be retained:
[ul]
[li] The accountholder’s name,[/li][li] Primary account number (PAN),[/li][li] Expiration date, and[/li][li] Service code[/li][/ul]
To minimize risk, store only those data elements needed for business. NEVER store the card verification code or value or PIN verification value data elements.
Note: See PCI DSS Glossary for additional information. PCI Data Security Standard Requirement 3.2.1
Testing Procedures:
1.1.1 Use forensic tools and/or methods (commercial tools, scripts, etc.)[SIZE=1][1][/SIZE] to examine all output created by the payment application and verify that the full contents of any track from the magnetic stripe on the back of the card are not stored after authorization. Include the following types of files (as well as any other output generated by the payment application):
[ul]
[li]Incoming transaction data[/li][li]Transaction logs[/li][li]History filesTrace files[/li][li]Non-volatile memory, including non-volatile cache[/li][li]Debugging and error logs[/li][li]Audit logs[/li][li]Database schemas and tables[/li][li]Database contents[/li][/ul]
[SIZE=2][1] Forensic tool or method: A tool or method for uncovering, analyzing and presenting forensic data, which provides a robust way to authenticate, search, and recover computer evidence rapidly and thoroughly. In the case of forensic tools or methods used by PA-QSAs, these tools or methods should accurately locate any sensitive authentication data written by the payment application. These tools may be commercial, open-source, or developed in-house by the PA-QSA.[/SIZE]