Agreed. I doubt that 'redaction' would meet the needs stated in the article
for businesses to demonstrate the caller actually provided the accurate
code/number to validate the transaction.
If members of the industry the Standard is directed at are able to
demonstrate the requirements are inconsistent with necessary business
practices, they should communicate this back to the PCI. Standards that
can't be implemented without adversely impacting the members of the industry
they are written for have no value.
One way to address this would be to suggest the language state when this
type of information *IS* collected, it be stored in a secure means with
access limited to those with a need to know for a specified period of time.
[log in to unmask]
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]