3 - recurring operations, Data retention, User accounts – Gasboy CFN III Fuel Management System PA-DSS User Manual

MDE-4870A CFN III Fuel Management System PA-DSS Implementation Guide Version 3.6 · June 2010

Page 9

Data Retention

Recurring Operations

3 – Recurring Operations

Data Retention

The PCI PA-DSS requirement 3.1 defines the data retention requirements.

Note: The merchant is responsible for determining the duration to retain the secure

information by the CFN III.

• Keep card holder data storage to a minimum.
• Develop a data retention and disposal policy.
• Limit storage amount and retention time to that which is required for business, legal,

and/or regulatory purposes.

• Set the size of the transaction file small enough to ensure that the system will over write

the oldest transaction before the end of your defined retention period. For instructions on
setting the size of your transaction table, refer to MDE-4872 CFN III Configuration
Manual for Windows XP Version 3.6.

In the event that the transaction data is not over written in the defined period, the transaction
memory must be purged as described in

“Purge Transaction Records”

on

page 3

.

User Accounts

Refer to

“Appendix A: PCI Password Requirements”

on

page A-1

.

Audit Trail

This Audit Log information is required to allow traceability of user actions and must be
protected to meet the PCI requirements. This information must be reviewed daily by the
merchant. It is required that at least 90 days of audit information resides on the system and the
administrator/owner is to retain at least one year of audit information, offline, and in a secure
location. New audit information is to be copied to removable media for downloading and
protecting on a regular basis.

The Audit Log must remain enabled.