Does Able store Authorize.Net Card Numbers?

[dandersonMLT]

I am assuming the answer to this question is no for PCI compliance, but I want to double check.
We received this from Authorize.net this morning.

On the evening of March 21, 2016, between 4:13 PM and 11:49 PM Pacific time, an error occurred following an Authorize.Net system update that resulted in some merchants receiving transaction responses that contained their customers' full, unmasked card number associated with the transaction, rather than the masked, last four digits (Ex. XXXX 1234) normally included in the response. Our internal team identified and resolved the issue.

Our records indicate that some of your transactions may have been affected. As with all your transaction processing, these responses were returned via a secure, encrypted connection. However, it is recommended that you immediately contact your e-commerce/shopping cart provider or web developer to determine whether you typically store the card number field from the transaction response data you receive from Authorize.Net. Please refer to the FAQs below for further details regarding the card number field and its location in the transaction response.

If you determine that any transaction responses from the timeframe above were stored in your systems and contain a full, unmasked card number (rather than just the last four digits), it's recommended you delete the full card number or take appropriate steps to securely store or mask the data to maintain your level of Payment Card Industry Data Security Standard (PCI DSS) compliance. Please contact your Merchant Service Provider or PCI DSS assessor for further information on PCI compliance or refer to the PCI DSS website.

If you have any questions regarding this notice, please review the FAQs below or contact Customer Support.

We apologize for any disruption this may have caused and thank you for being an Authorize.Net merchant.

Sincerely,
Authorize.Net

[Katie]

There is a setting so you can decide whether or not to store the credit card numbers. There is a setting on the Configure > Security > System Settings page. It is called "Enable Payment Storage".

However, if I understand the problem here, it sounds as if Authorize.net has sent transaction details in their responses. If you have enabled debug mode for the gateway, we can see information in the log files. Usually, any sensitive information is masked, so I'm assuming that Authorize.net didn't do that on Mar. 21st. So, you might want to check your Anet gateway config page (within AC) and see if Debug mode was enabled. If yes, then you will want to delete your Authorizenet.log file from the \App_data\Logs folder.

Let me know if you have any questions or concerns.

Katie

[dandersonMLT]

There is a setting so you can decide whether or not to store the credit card numbers. There is a setting on the Configure > Security > System Settings page. It is called "Enable Payment Storage".

However, if I understand the problem here, it sounds as if Authorize.net has sent transaction details in their responses. If you have enabled debug mode for the gateway, we can see information in the log files. Usually, any sensitive information is masked, so I'm assuming that Authorize.net didn't do that on Mar. 21st. So, you might want to check your Anet gateway config page (within AC) and see if Debug mode was enabled. If yes, then you will want to delete your Authorizenet.log file from the \App_data\Logs folder.

Let me know if you have any questions or concerns.

Katie

Ok, so debug is disabled. Enable Payment Storage Data is On. But Days to save is set to 0.
Is there anything we need to worry about with this?

Thanks,
Dave

[Katie]

Hi Dave,

Sounds ok, but you could look in the AC_Transactions table and make sure that the credit card data is truncated. Just to make sure.

Thanks,
Katie

[dandersonMLT]

Hi Dave,

Sounds ok, but you could look in the AC_Transactions table and make sure that the credit card data is truncated. Just to make sure.

Thanks,
Katie

Thanks for your help. It looks like everything is fine on our end.