PCI DSS: Credit cards in RAM
Aug 2nd, 2007 by Jesper Kråkhede
Today I got the question from a POS (Point Of Sale) vendor if it is OK to store the credit card numbers in the RAM of the computers. The issue from the POS-vendor was regarding the statement file that should be sent to the bank. Is it allowed to have the file unencrypted in memory while waiting for the connection to the bank?
I searched the internet for any answers on this question but could not find any. I checked with the auditors I currently work with regarding this issue and got the following response:
“It is OK to store the credit card numbers in RAM as long as it is only temporary and is not a huge amount of numbers.”
Of course this is rather obvious. If you store the information encrypted in the database you have to decrypt them in RAM if you ever want to use them.