FAQ #1042 Diff

If the cardholder data is stored in non-persistent memory (e.g. RAM), encryption of cardholder data is not required. However, proper controls must be in place to ensure that memory maintains a non-persistent state. For example, if the data in memory is being written to a file, then appropriate PCI DSS requirements are applicable to that file. Where appropriate,file.Data should be removed from volatile memory once the business purpose (for example, the associated transaction) is complete. In the case that data storage becomes persistent, all applicable PCI DSS requirements will apply, including encryption of stored data.PCI SSC recommends engaging a Qualified Security Assessor (QSA) for guidance as to whether a specific implementation will satisfy this data should be securely purged as soon as possible - for example, from swap files and temporary folders. PCI SSC recommends engaging a Qualified Security Assessor (QSA) for guidance as to whether a specific implementation will satisfy this requirement. Please see theFor a list of QSAs at www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdfQSAs, please visit:  https://listings.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors