Skip to content

Update to Best Western story

I wrote about the Best Western case yesterday, but something in today’s news caught my eye. reports this nugget of information:

The company said it purges guests’ credit card and other data from its systems within seven days of their checkout.

Seven days? They are prohibited by PCI from storing sensitive data after authorization, so what credit card data are they referring to here?

Was it just the PAN? Although seven days might seem short compared with a year of data, card information is meant to be masked, hashed or truncated immediately. Sensitive data has to be securely wiped as soon as a card has been authorized. How do they explain the reason for a seven day procedure that leaves card data exposed, since they say they are PCI-compliant?

Posted in Security.

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

or, reply to this post via trackback.