Getting to know the PADSS audit guidelines: Deleting information

PADSS audits are based on a list of criteria that measure how secure a certain payment application is. Before earning compliance, software developers may have to face this list and would do well to prepare for its guidelines. The PCI Security Standards Council explored each of the auditing criteria in a Version 3.1 document on Security Audit Procedures, released in May 2015.

There are 14 requirements under PADSS that factor into an audit. This blog will focus on the first one, which mandates that subjects do not "retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data." While it contains several sub-requirements, the basic premise of this point concerns not storing sensitive information where it can be stolen to commit fraud.

"If not securely deleted, this data could remain hidden on customer systems, and malicious individuals who obtain access to this information could use it to produce counterfeit payment cards, and/or to perform fraudulent transactions," the source stated.

The document did note that some pieces of information need to be stored, such as cardholder names and card expiration dates. However, it stated that "only those data elements needed for business" should be kept to reduce the chances of fraud.

Some of the other requirements also cover similar ground, which is why a full audit might be necessary to determine major weaknesses. Businesses may assume that the PADSS requirements mean storing any customer information at all is not allowed, but keeping some data in hard copy form or under encryption can help users reach compliance, as states.

For more on the PADSS requirements and security assessment procedures, be sure to return to this blog as we continue examining the other 13 requirements.

Scroll to Top