Comments on: Sample PCI-DSS Policy Part 3: Handling of Cardholder Data http://www.pcidssguru.com/policy/handling-cardholder-data/ Practical Implementation Guidance on the Payment Card Industry Data Security Standard Tue, 31 Jan 2012 16:19:53 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Warren http://www.pcidssguru.com/policy/handling-cardholder-data/comment-page-1/#comment-1492 Warren Mon, 01 Nov 2010 14:46:17 +0000 http://www.pcidssguru.com/?p=68#comment-1492 Hello. I manage a records management facility. We store data and back up media for a call center. They are requesting our compliance with PCI DSS, however there are only a few sections that deal with offsite storage. The self assessments don't seem to be helping because we only store paper or back ups and not any of that information is on a computer or database of any kind. I guess my question is how does one get "official" compliance for the applicable portions of the document? Thanks a bunch. Hello. I manage a records management facility. We store data and back up media for a call center. They are requesting our compliance with PCI DSS, however there are only a few sections that deal with offsite storage. The self assessments don’t seem to be helping because we only store paper or back ups and not any of that information is on a computer or database of any kind.

I guess my question is how does one get “official” compliance for the applicable portions of the document?
Thanks a bunch.

]]> By: Lisa http://www.pcidssguru.com/policy/handling-cardholder-data/comment-page-1/#comment-1470 Lisa Tue, 26 Oct 2010 16:30:58 +0000 http://www.pcidssguru.com/?p=68#comment-1470 I have more of a question than a comment. Does our shredding vendor need to be PCI COMPLIANT OR PCI CERTIFIED? Thanks all. I have more of a question than a comment.
Does our shredding vendor need to be PCI COMPLIANT OR PCI CERTIFIED?
Thanks all.

]]> By: Tippy http://www.pcidssguru.com/policy/handling-cardholder-data/comment-page-1/#comment-1368 Tippy Sun, 03 Oct 2010 09:06:44 +0000 http://www.pcidssguru.com/?p=68#comment-1368 Chris: If your company only deals with truncated cardholder data, then it should be noted that truncated cardholder data is not classified as cardholder data in the first place. This if proven as you say is truncated data. Chris: If your company only deals with truncated cardholder data, then it should be noted that truncated cardholder data is not classified as cardholder data in the first place. This if proven as you say is truncated data.

]]> By: Emily http://www.pcidssguru.com/policy/handling-cardholder-data/comment-page-1/#comment-1324 Emily Thu, 16 Sep 2010 16:30:45 +0000 http://www.pcidssguru.com/?p=68#comment-1324 One of you bullet points reads: "coverage for all storage of cardholder data, including database servers, mainframes, transfer directories, and bulk data copy directories used to transfer data between servers, and directories used to". What is the end to this sentence? "Used to" what? Thanks! One of you bullet points reads: “coverage for all storage of cardholder data, including database servers, mainframes, transfer directories, and bulk data copy directories used to transfer data between servers, and directories used to”. What is the end to this sentence? “Used to” what?

Thanks!

]]> By: Jewel http://www.pcidssguru.com/policy/handling-cardholder-data/comment-page-1/#comment-983 Jewel Tue, 16 Mar 2010 23:08:20 +0000 http://www.pcidssguru.com/?p=68#comment-983 @Chris: Page six of the DSS says "PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted." Whenever "cardholder data" is mentioned in the standard it is only as defined on that page. @Chris: Page six of the DSS says “PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.” Whenever “cardholder data” is mentioned in the standard it is only as defined on that page.

]]> By: Chris http://www.pcidssguru.com/policy/handling-cardholder-data/comment-page-1/#comment-815 Chris Tue, 15 Dec 2009 17:54:39 +0000 http://www.pcidssguru.com/?p=68#comment-815 My company only has truncated cardholder data to begin with. Does this still count as cardholder data that must be destroyed from all our old backups and servers? It's useless without the full number anyway, so I don't understand why it would be necessary, but from my interpretation of the requirement, that is what they are asking. My company only has truncated cardholder data to begin with. Does this still count as cardholder data that must be destroyed from all our old backups and servers? It’s useless without the full number anyway, so I don’t understand why it would be necessary, but from my interpretation of the requirement, that is what they are asking.

]]>