Last post Sep 29, 2014 08:54 AM by AidyF
Sep 29, 2014 08:32 AM|triggered|LINK
Hello, payment gateway does not support notifying customers in regards to their credit card about to expire. I want to store the last 4 digits and the expiry month and year. PCI DSS says its okay as long as the PAN is not stored. My question is... does the
last 4 digits and expiry have to be encrypted or can it be stored in clear text? I can't find any requirements stating that it needs to be encrypted. If it is encrypted then I couldn't run a SQL query looking for cards that are going to expiry in the next
month. I would have to pull down the records page by page in a scheduled task, decrypt and check. Anyone do this?
Sep 29, 2014 08:36 AM|AidyF|LINK
You could encrypt the last four digits but not the expiry date. That way you can query for all expired cards, then decrypt each record to get the digits.
Sep 29, 2014 08:44 AM|triggered|LINK
Hi thanks for the response. Is your solution a requirement or a suggestion? I am trying to figure out if I can store both in clear text. I do plan on using your suggestion though.
Sep 29, 2014 08:54 AM|AidyF|LINK
Your question is outside the scope of the forum really, but according to this
You only need to encrypt the expiry date if you are also storing the PAN. As you are only storing the last digits you can probably get away with only encrypting the digits and storing the expiry date unencrypted.