National Webcast Initiative

The following is a compilation of questions submitted to the presenters through the written Q and A tool during the webcast. The transcript has been edited for relevance.

Question: In terms of Network segmentation, is VLAN Trunking Protocols, and/or using sub-interfaces on a security device sufficient, or must it be separate physical devices?

Answer: The best practice for network segmentation from the security perspective is to use separate physical interfaces. VLAN trunking protocols cannot be considered security boundries.

*************************

Question: What data is included on the magnetic strip?

Answer: Usually name of the card holder, the account number, the expiration date, and the verification/CVV codes.

*************************

Question: I've been told that the storage of credit card numbers only needs to be addressed if the numbers are searchable. If there's not a capability to search the logs then it is considered "safe" as is. Is this correct interpretation of PCI compliance requirements?

Answer: That is incorrect.

*************************

Question: My understanding is that it is required not to store any Card information at all. Is that wrong?

Answer: Do not store this information if you dont have to. However, PCI does not state that you must not store this information.

*************************

Question: Can an online or telephone credit card transaction be completed with just the name and account number (not the CVV)?

Answer: It is possible. However it is up to the merchant to determine what kind of information will be gathered from the customer for verification. If merchant only takes card number and name , he/she is taking a bigger risk of fraud. Every additional information (CVV, Address, Zip) is used to verify the customer.