My client is a small US mail-order company and they use an online credit card (CC) payment terminal to run CC transactions. The work flow is:
1. Customer calls and places order. We take CC information, including CVV and store it in the database.
2. Order is sent to fulfillment and then to shipping.
3. Once it ships, we use the online terminal to run the CC. This could be hours or sometimes weeks after step 1.
Therefore, they have a table with CC information including CVV.
When reviewing PCI Compliance requirements, we noticed:
10.2.1 [Track and Monitor] All individual accesses to cardholder data
This would require us to record any access to the sensitive data sitting in our table.
My first instinct was to use Sql Server Audit, but it requires Enterprise Edition which is unaffordable. We are using Express Edition 2012.
Next I was thinking about SQL Trace. Has anyone gone down this road before? Is it a good idea? If not, what is the best alternative?
-Tom. Microsoft Access MVP