Logging Credit Card Data Access

Purpose: The VISA Cardholder Information Security Program (CISP) and the Payment Card Industry (PCI) Data Security Standard provide guidelines for securing cardholder data. Toward fulfillment of these guidelines, the system writes a record to the Credit Card Audit file (MSCCAU) whenever a user with authority to view credit card numbers displays a screen or window that includes the credit card number field, or prints a report that might include any credit card numbers.

Audit file updates: The update to the Credit Card Audit file includes:

• the user ID and name of the person who viewed the screen or window, or printed the report

• the program name of the screen, window, or report, and its description

• the date and time when the screen, window, or report was viewed or generated

• the order, customer number, and invoice number associated with the credit card number, if this information is available

There is no menu option that provides visibility into the audit file; however, you can use queries or custom reports to view the file’s contents.

In this topic:

• Authority to View Credit Card Numbers

• Updates to Credit Card Audit File (MSCCAU)

Authority to View Credit Card Numbers

The authority to view credit card numbers is controlled by two secured features: Restrict Access to Credit Card Numbers in OI and OM (A88) and Display Full Credit Card Number (B14). In general, the system writes a record in the Credit Card Audit file whenever a user with authority under both of these secured features views a screen or window, or prints a report that includes the credit card number.

Exceptions: Certain reports and menu options do not require that the user have authority under the Restrict Access to Credit Card Numbers in OI and OM (A88) in order to write the Credit Card Audit file record, as long as the user has authority under Display Full Credit Card Number (B14):

• Online Credit Card Authorization Listing

• Held Order by Pay Type Report

• Unactivated Stored Value Card Report

• Working with Physical Stored Value Card Assignment (WPSA)

• Credit Card Authorization Listing

• Address Verification Response List

• Deposit Proof Listing By Pay Type

• Deposit Proof Listing

• Unconfirmed Deposits Listing

Important: The system does not update the Credit Card Audit file if the user’s authority under the Display Full Credit Card Number (B14) secured feature is set to *EXCLUDE and you have not set up a masking format for credit cards. For this reason, it is important to use the Credit Card Number Layout Screen to set up a masking format if you are going to set users’ authority to display the credit card number to *EXCLUDE, so that cardholders’ data is protected.

What if no credit card number displayed? The system writes the Credit Card Audit file based on the user’s security as long as the credit card number field is included on the window, screen, or report, regardless of whether a credit card number is actually displayed. For example, if a user with authority advances to the Display Customer Order History Screen, the system writes a record to the Credit Card Audit file because the credit card number field is included on that screen, even if the particular customer has never used a credit card.

Also, the system writes an audit file record based on the credit card pay category (2), regardless of whether the payment method actually represents a “true” credit card, some other Card type, or a token. For example, the system writes the audit file record when a user with authority views a screen that displays a Bill Me Later payment method. See Types of Credit Cards for a discussion of different Card type options, such as Bill Me Later.