We are assessing our PCI compliance and one of our non compliant status is that we receive orders that goes directly in the TN database as non-encrypted format (BLOB can be converted easily in clear XML text) and those files may contains credit card number.
Our first approach was to take the orginal content and replace the credit card information by either an encrypted values or even an Internal ID that would be generetad from a Web Service that would have registered the credit card number in a secure environment.
I though that we could change the original content in TN database, but many posts in this forums tells me that I don’t want to do that.
So what would be a good approach to get rid of credit card information but keeping the rest of the information. Note that we have a business need to keep those files for verifications so we need to be able to open (and somethimes reprocess) a file received from a partner.
Would it be best to archive in a different database and just delete the content from trading network?