I just wanted to pass along what I have heard thus far on this topic from the various card brands. I’ll keep updating this post as I get more responses.
American Express (aka Trustwave) came back with the following.
“Per your inquiry regarding the storage of pre-authorized data, from what I can tell the American Express DSOP program currently does not address this topic. However, both the PCI SSC and the card brands (including American Express) have made it abundantly clear that pre-authorization data is to be protected with the same zeal as post-authorization data. That means encrypting it and restricting access to it. The reason the PCI SSC has not issued any directives regarding pre-authorization data yet is that it is a complicated environment and cannot be dealt with in a simple manner with the same approach working for all occurrences.
So, while pre-authorization data seemingly is not covered by the PCI DSS/DSOP programs at this time, you must do everything you can to protect it.
I hope this somewhat answers your question. I plan on doing more research to find any official documentation regarding the subject.”
MasterCard International followed up with their response.
“Merchants should talk with their acquirers to determine the pre-authorization rules particular to their vertical market and region.”
Visa, Discover and JCB are still to be heard from.
I was deeply disappointed with MasterCard’s response. Acquiring banks, for the most part, cannot answer basic questions about the PCI DSS, so we are supposed to believe that they are experts on retention of pre-authorization data based on a company’s vertical market and region? Talk about passing the buck.
Based on the responses, I would highly recommend that merchants take American Express’ advice and protect pre-authorization data with the same voracity as they do with post-authorization data.
Cross-posted from PCI Guru