I wrote about the Best Western case yesterday, but something in today’s news caught my eye. Newsday.com reports this nugget of information:
The company said it purges guests’ credit card and other data from its systems within seven days of their checkout.
Seven days? They are prohibited by PCI from storing sensitive data after authorization, so what credit card data are they referring to here?
Was it just the PAN? Although seven days might seem short compared with a year of data, card information is meant to be masked, hashed or truncated immediately. Sensitive data has to be securely wiped as soon as a card has been authorized. How do they explain the reason for a seven day procedure that leaves card data exposed, since they say they are PCI-compliant?