Can you store track data and be PCI Compliant?

Does PCI Compliance allow you to save the track data until you process the card? For example someone gives you a card to process in the beginning of next month, can the track data be stored until then? JL

The answer is yes, but with limitations.

Track data is the information encoded in Track 1 and Track 2 within the magnetic strip, or chip, on the back of a credit card which is read by an electronic reader within the terminal or point-of-sale (POS) system. Track data contains information about the card and the cardholder.

What track data can be collected? When a credit or debit card is swiped, the track data may include customer name, credit card number, expiration date, CVV number, and information used as part of PIN encryption/decryption if a debit card.

What track data can be stored? Merchants may securely store ONLY the customer’s name, credit card number, and expiration date to PCI Data Security standards if desired.

How and where will you store the track data? This is the crux of PCI Data Security and should be your most important consideration. Do you use POS software? Do you know if it is PCI Compliant? Some are, some are not. Even some very big software companies are not, but are ‘working on it’.

A technology solution that I sell ( I work direct for the company) is CenPOS. The data is encrypted, stored off site, meets all current data security standards and the solution is fully PCI Compliant.

Article on prohibited Cardholder Data Storage from Visa.

1 thought on “Can you store track data and be PCI Compliant?

  1. I recently participated in a seminar on Secure Commerce Payment Data-Enterprice Payment Security which was hosted by Bill Zujewski-V.P.Product Marketing at ATG, Dave Glaser- V.P. Global Services at Cybersource and Chris Pogue- Sr. Security Consultant at Trustwave. The focal point of discussion was security of data in relation to the Order Management Lifecycle.
    To share my impressions briefly-I guess the main point of the seminar was that the PCI compliance regulations are merely a way to reduce the amount of fraud that is out there, but unless the data will actually be somehow completely eliminated the risk of theft and fraud will always exist- that is regardless if a company is PCI compliant or not. Therefore, as Mr. Dave Glaser said- it is time for a NEW approach- to work on ELIMINATING the data rather than CONTAINING IT. He called the containment approach that is practiced today
    – ” sub-optimal”.
    I guess one may say then, that the PCI regulations of today are implemented as a part of an ongoing process that is desperately trying to solve the “sensitive data pollution” issue and we will see many other attempts in the near future to prevent the “leaks” from happening.


Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.