312-50V11 · Question #783
Your business has decided to add credit card numbers to the data it backs up to tape. Which of the following represents the best practice your business should observe?
The correct answer is D. Hire a security consultant to provide direction.. Handling credit card data is governed by PCI DSS compliance requirements, making expert consultation the recommended first step before implementing any backup strategy.
Question
Your business has decided to add credit card numbers to the data it backs up to tape. Which of the following represents the best practice your business should observe?
Options
- ADo not back up either the credit card numbers or their hashes.
- BEncrypt backup tapes that are sent off-site.
- CBack up the hashes of the credit card numbers not the actual credit card numbers.
- DHire a security consultant to provide direction.
How the community answered
(27 responses)- A7% (2)
- B15% (4)
- C4% (1)
- D74% (20)
Why each option
Handling credit card data is governed by PCI DSS compliance requirements, making expert consultation the recommended first step before implementing any backup strategy.
Not backing up credit card data or hashes may be appropriate in some cases, but this blanket approach ignores legitimate business and compliance needs that a consultant would properly assess.
Encrypting off-site tapes is a PCI DSS requirement for stored cardholder data, but it is only one control and does not address all compliance obligations involved in adding card data to backups.
Backing up hashes instead of actual card numbers reduces risk but hashes alone may not satisfy all business or recovery requirements, and this decision should be validated by a compliance expert.
Adding credit card numbers to backups introduces PCI DSS (Payment Card Industry Data Security Standard) compliance obligations that carry significant legal and financial risk. A qualified security consultant or QSA (Qualified Security Assessor) can ensure the backup strategy meets all PCI DSS requirements for data protection, encryption, and access controls before implementation.
Concept tested: PCI DSS compliance for credit card data backup
Source: https://www.pcisecuritystandards.org/document_library/
Topics
Community Discussion
No community discussion yet for this question.