1.1 Do not store sensitive authentication data subsequent to authorization (even if encrypted):
Sensitive authentication data includes the data as cited in the following Requirements 1.1.1 through 1.1.3.
PCI Data Security Standard Requirement 3.2
Note: By prohibiting storage of sensitive authentication data “subsequent to authorization,” the assumption is that the transaction has completed the authorization process and the customer has received the final transaction approval. After authorization has completed, this sensitive authentication data cannot be stored.
Testing Procedures:
1.1 If sensitive authentication data (see 1.1.1-1.1.3 below) is stored prior to authorization and then deleted, obtain and review methodology for deleting the data to determine that the data is unrecoverable.
For each item of sensitive authentication data below, perform the following steps after completing numerous test transactions that simulate all functions of the payment application, to include generation of error conditions and log entries.