PCI DSS applies to all entities involved in payment card processing including merchants, processors, financial institutions and service providers.
Cardholder data and sensitive authentication data are defined as follows:
| Cardholder Data |
Sensitive Authentication Data |
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
|
- Full track data (magnetic-stripe data or equivalent on a chip)
- CAV2/CVC2/CVV2/CID
- PINs/PIN blocks
|
- The storage of sensitive authentication data after authorization is not allowed.
- There is no business need to store sensitive authentication data after authorization; it is not needed for transaction disputes and it is absolutely NOT allowed.
Technical Guidelines for Storing Data
| |
Data Element |
Storage Permitted |
Render Stored Data Unreadable per Requirement 3.4 |
| Cardholder Data |
Primary Account Number (PAN) |
Yes |
Yes |
| |
Cardholder Name |
Yes |
No |
| |
Service Code |
Yes |
No |
| |
Expiration Date |
Yes |
No |
| Sensitive Authentication Data |
Full Magnetic Stripe Data |
No |
Cannot store per Requirement 3.2 |
| |
CAV2/CVC2/CVV2/CID |
No |
Cannot store per Requirement 3.2 |
| |
PIN/PIN Block |
No |
Cannot store per Requirement 3.2 |
- PCI DSS Requirements 3.3 and 3.4 apply only to PAN. If PAN is stored with other elements of cardholder data, only the PAN must be rendered unreadable according to PCI DSS Requirement 3.4.
- Sensitive authentication data must not be stored after authorization even if encrypted. This applies even when there is no PAN in the environment.
- Per PCI DSS Requirement 3.3, the first six and last four digits are the maximum number of digits that can be displayed.
- Only personnel with a legitimate business need can see the full PAN.
Important PCI DSS Data Storage Do’s and Don'ts
| Data Storage Do's |
Data Storage Dont's |
- Do understand where payment card data flows for the entire transaction process
- Do verify that your payment card terminals comply with the PCI personal identification number (PIN) transaction security (PTS) requirements
- Do verify that your payment applications comply with the Payment Application Data Security Standard (PA-DSS)
- Do retain (if you have a legitimate business need) cardholder data only if authorized, and ensure it’s protected
- Do use strong cryptography to render unreadable cardholder data that you store, and use other layered security technologies to minimize the risk of exploits by criminals
- Do ensure that third parties who process your customers’ payment cards comply with PCI DSS, PTS and /or PA-DSS as applicable. Have clear access and password protection policies
|
- Do not store cardholder data unless it’s absolutely necessary
- Do not store sensitive authentication data contained in the payment card’s storage chip or full magnetic stripe, including the printed 3-4 card validation code on the front or back of the payment card after authorization
- Do not have PTS terminals print out personally identifiable payment card data; printouts should be truncated or masked
- Do not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops or smart phones
- Do not locate servers or other payment card system storage devices outside of a locked, fully- secured and access-controlled room
- Do not permit any unauthorized people to access stored cardholder data
|