Comment 17 for bug 1474051

Got some local feedback and talked to our PCI vendor.

For starters, the PCI vendor was a little confused that we'd want to keep the last-4 at all, but when pressed w/ the posted PDF, said keeping the last-4 as long as "no other cardholder data was stored" was not enough to move you from PCI level C-VT to level D. (Level D is where you're filling out 200 page forms and things get really complicated). The most important things not to store are CCV (we're good there) and expire date (which we propose dropping in this bug). However, the bit about storing "no other cardholder data" concerns me some, since we are potentially storing other cardholder data, because we link the payment to the patron, which in many/most cases is probably the same as the cardholder. That potentially gives us first and last name on the card.

For our purposes locally, we are fine never storing the last-4 or including it on receipts. Given there is still confusion over exactly what it is required, though, I second Galen's suggestion of retaining the last-4 for a period of time.

I propose we drop all of the proposed columns except cc_number, which retains the last-4 as before, and we provide a tool (CRON script) to NULLIfy the values from cc_number once payments reach a configured age.

If this sounds sane, I can work on the changes.