Integration and Testing

Authorize.Net API questions and help with your payment integration.

Posts: 1
Registered: ‎05-25-2011

Storing track data PRE-Authorization?

Obviously there can't be a definitive answer here at the moment, though I was hoping to get at least some knowledge of similar cases, hints, alternatives, or at least be shot down right away.


Quick background, I'm looking into writing a custom app for a company for use at festivals. Previously they used a laptop connected to the virtual terminal loaded on IE and the active x control was pulling data from the card reader (MSR) and all of the data was transported over a cellular connection. Between page timeouts and the active x control frequently malfunctioning and losing it's claim on the MSR which meant they had to physically type in the PAN pretty often, this option is painfully slow. The bigger problem however is that there are a couple of festivals they attend where the cellular connection is either very weak or completely non-existent (ie. At least one location is a true dead zone for every carrier), and the festival does not provide any wifi or even a way to reach phone lines.


I'd like to give them an application that functions normally in most scenarios with instant communication, much lighter data transmission (anything is better than sending full web pages back and forth); but also allow for an offline mode.  Specifically, when there's no ability to communicate with Authorize.Net immediately, read the Track data, encrypt it and store it along with the amount to charge, then after the festival is over for the day they can return to an area with a usable signal where they can decrypt the Track data and perform the charges...obviously overwriting and erasing the track data the moment that confirmation is received. There's no interest in keeping data long term, but for obvious reasons it must be stored temporarily on a hard drive in the event the laptop must be powered down or restarted.


I haven't had time to exhaustively examine PCI PA-DSS yet, but I know Article 1.1.1 says that "After authorization, do not store the full contents of any track from the magnetic stripe". It feels like I'm taking advantage of the letter rather than the intent, but clearly I'd only be storing Track data until the moment of authorization and then destroying it.  Is this still an absolute No-No, is there a reasonable alternative, or do I have to tell them to go back to using a knuckle-buster when they have to work these technophobic events?


I appreciate any insights into this issue...and yes, when/if I contact the PCI committee, I'd like to approach the subject with a little more understanding than I have now :)