Content Provided By:Payex

Browse Categories

Recent Posts

Storing Prohibited Data

May 1st, 2007

Is your business storing prohibited data? Prohibited data is any cardholder information stored by a merchant after a transaction that does not comply with the Payment Card Industry Data Security Standards (PCI DSS), Visa Inc. Operating Regulations, and Visa’s Payment Application Best Practices (PABP).

How can you tell if you are storing prohibited data? Prohibited data includes the full contents of magnetic stripes, CVV2, and PIN data stored after transaction authorization. Permitted data, on the other hand, includes the cardholder’s name, primary account number, expiration date, and service code. This information may be stored for business purposes as long as it is protected by a PABP-approved application in accordance with the PCI DSS.

You can find a list of PABP approved applications at

Merchants who use payment applications that are NOT supported by PABP are vulnerable to data theft. Visa calls for merchants to take corrective action immediately.

  • Obtain a summary of your application’s files from the software vendor.
  • Upgrade to applications that are PABP-approved if the files store prohibited data.
  • Confirm your software version with the vendor.
  • Delete all prohibited data files right away.

If you have any questions, contact [email protected].

Here’s a list of payment applications that have been identified as storing full magnetic stripe data. Some applications have been fixed by the vendor. These applications are noted below.

Payment Application Vendor

Product Version That Contains Magnetic Stripe Data

Product Version/ Patch That Does Not Contain Magnetic Stripe Data

ICVerify, Inc.

ICVERIFY Software for Windows V2.X (produced by CyberCash, Inc. prior to 2002)

ICVERIFY Software for Windows V2.X Service Pack 1 (available since 2003) ICVERIFY Software for Windows V3.X PABP Validated Payment Application ICVERIFY Software for Windows V4 (available since 2005)

MenuSoft Systems

Digital Dining All versions using a DDServ.dll file prior to V7.3.0350

Digital Dining All versions using a later DDServ.dll file to and including V7.3.0350 PABP Validated Payment Application Digital Dining V7.3.0375

Micros Systems, Inc.

8700 HMS V1.00 thru V2.11.9 V2.50 thru V2.50.20 V2.70 thru V2.70.14

8700 HMS V2.11.10 + V2.50.21 + V2.70.15 + V3.00

9700 HMS All versions prior to V2.50

9700 HMS All later versions to and including V2.50 PABP Validated Payment Applications 9700 HMS V3.0 service pack 6 thru 12 and HMS V3.1

RES 3000 V1.0.0 thru V3.1.2 V3.2.0

RES 3000 V3.1.3 + V3.2.1 + PABP Validated Payment

Applications RES 3000 V4.1, 4.0 and V3.2 service pack 7 hotfix 5 with TransactionVault


Maitre’D All versions of V2002 All versions prior to V2003 service pack 11 All later versions prior to V2005 service pack 3

Maitre’D All later versions to and including V2003 service pack 11 All later versions to and including V2005 service pack 3


Aloha All versions prior to V5.3.15

Aloha All versions later to and including to V5.3.15

Southern DataComm, Inc. (SDC)

ConnectUp: All versions PopsOn : All versions ProtoBase® version 4.7x-xx ProtoBase® version 4.80-xx PbAdmin® version 4.01-xx PbAdmin® version 5.00-xx

ProtoBase® version 4.81-xx ProtoBase® version 4.82-xx ProtoBase® version 4.83-xx PbAdmin® version 5.01-xx PbAdmin® version 5.02-xx PABP Validated Payment Application ProtoBase® Suite v6.0 (ver. 6.00.xx)

Entry Filed under: Rules and Regulations

Leave a Comment


Required, hidden

Trackback this post  |  Subscribe to the comments via RSS Feed