3.2 Do not store sensitive authentication
data after authorization (even if
encrypted). If sensitive authentication
data is received, render all data
unrecoverable upon completion of the
authorization process.
It is permissible for issuers and
companies that support issuing services
to store sensitive authentication data if:
There is a business justification and
The data is stored securely.
Sensitive authentication data includes
the data as cited in the following
Requirements 3.2.1 through 3.2.3:
3.2.a For issuers and/or companies that support issuing
services and store sensitive authentication data, review policies
and interview personnel to verify there is a documented
business justification for the storage of sensitive authentication
data.
3.2.b For issuers and/or companies that support issuing
services and store sensitive authentication data, examine data
stores and system configurations to verify that the sensitive
authentication data is secured
3.2.c For all other entities, if sensitive authentication data is
received, review policies and procedures, and examine system
configurations to verify the data is not retained after
authorization.
3.2.d For all other entities, if sensitive authentication data is
received, review procedures and examine the processes for
securely deleting the data to verify that the data is
unrecoverable.
Sensitive authentication data consists of full track
data, card validation code or value, and PIN data.
Storage of sensitive authentication data after
authorization is prohibited! This data is very
valuable to malicious individuals as it allows them
to generate counterfeit payment cards and create
fraudulent transactions.
Entities that issue payment cards or that perform
or support issuing services will often create and
control sensitive authentication data as part of the
issuing function. It is allowable for companies that
perform, facilitate, or support issuing services to
store sensitive authentication data ONLY IF they
have a legitimate business need to store such
data.
It should be noted that all PCI DSS requirements
apply to issuers, and the only exception for
issuers and issuer processors is that sensitive
authentication data may be retained if there is a
legitimate reason to do so. A legitimate reason is
one that is necessary for the performance of the
function being provided for the issuer and not one
of convenience. Any such data must be stored
securely and in accordance with all PCI DSS and
specific payment brand requirements.
For non-issuing entities, retaining sensitive
authentication data post-authentication is not
permitted.