1.1.5 Securely delete any sensitive authentication data (pre-authorization data) used for debugging or troubleshooting purposes from log files, debugging files, and other data sources received from customers, to ensure that magnetic stripe data, card validation codes or values, and PINS or PIN block data are not stored on software vendor systems. These data sources must be collected in limited amounts and only when necessary to resolve a problem, encrypted while stored, and deleted immediately after use.
PCI Data Security Standard Requirement 3.2
Testing Procedures:
1.1.5.a Examine the software vendor’s procedures for troubleshooting customers’s problems and verify the procedures include:
[ul]
[li]Collection of sensitive authentication data only when needed to solve a specific problem[/li][li]Storage of such data in a specific, known location with limited access[/li][li]Collection of only a limited amount of data needed to solve a specific problem[/li][li]Encryption of sensitive authentication data while stored[/li][li]Secure deletion of such data immediately after use.[/li][/ul]
1.1.5.b Select a sample of recent troubleshooting requests from customers, and verify each event followed the procedure examined at 1.1.6.a.
1.1.5.c Review the PA-DSS Implementation Guide prepared by the vendor and verify the documentation includes the following instructions for customers and resellers/integrators:
[ul]
[li]Collect sensitive authentication only when needed to solve a specific problem[/li][li]Store such data only in specific, known locations with limited access[/li][li]Collect only the limited amount of data needed to solve a specific problem[/li][li]Encrypt sensitive authentication data while stored[/li][li]Securely delete such data immediately after use.[/li][/ul]