PCI DSS Compliance – What you CAN and CANNOT Store Re: Cardholder Data and Sensitive Authentication Data (SAD)
Regarding Payment Card Industry (PCI) Data Security Standards (DSS) compliance, commonly known as PCI DSS, there’s seems to be some confusion at times as to what CAN and CANNOT be stored. The PCI DSS standards are actually quite clear on this, so here they are. The following information CAN be stored for purposes of complying with PCI DSS:
- The Primary Account Number (PAN)
- Cardholder Name
- Service Code
- Expiration Date
Please keep in mind, though you are permitted to store this information, it needs to be “protected”. How so? By ensuring the PAN is rendered unreadable, by methods such as encryption, hashing or truncating.
What Merchants/Service Providers Should NOT Store – Sensitive Authentication Data (SAD)
Regarding PCI DSS compliance, the following is a list of information which should NOT be stored (however, there are exceptions, which we’ll discuss):
- Full Magnetic Stripe/Track Data (Track 1 and Track 2)
- CID, CAV2, CVC2, and CVV2 codes
- Pin and Pin Block
The exceptions to this are simply the following: If there is a compelling and justified business reason for storing this data, then it may be permitted. Careful consultation with a Qualified Security Assessor (QSA) can help you answer this question.
And lastly, don’t confuse the “service codes” with the “CID, CAV2, CVC2, and CVV2 codes”, which seems to happen quite often. Remember, the “service code” is actually the 3 or 4 digit number on the magnetic-stripe that specifies the acceptance requirements and limitations for magnetic-stripe read transactions. In short, it’s imbedded on the magnetic stripe on the track data, typically known as Track 1 data (you can store that, it’s allowed). The CID, CAV2, CVC2, and CVV2 codes are displayed on the cards either on the front or the back.
To learn more about the Payment Card Industry Data Security Standards and becoming PCI DSS compliant, please contact us today at pci@pcipolicyportal.com.