Requirement 9: Cardholder data must never be stored on a server connected to the internet

Details about how requirement 9 and subrequirements 9.1 are fulfilled.

Requirement 9.1

The payment application must be developed such that any web server and any cardholder data storage component (for example, a database server) are not required to be on the same server, nor is the data storage component required to be on the same network zone (such as a DMZ) with the web server.

To meet this requirement, you must not store cardholder data on a server that is connected to the internet. For more information, see Configuring cardholder data storage locations.

Systems that are used by external Python programs are out of scope of IBM® Safer Payments. External Python programs could be used to store data on external systems. You must ensure that no Cardholder Data is stored on servers that are accessible from the internet.