Can I Store Cardholder Data?

Alastair Stewart
|
Senior Consultant at URM
PUBLISHED on
5 Aug
2022

In this article, we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around the protection of cardholder data (CHD) and, in particular, sensitive authentication data (SAD).

But first, a bit of a recap.  The PCI DSS is an information security standard for organisations that store, process and/or transmit payment card data.  In 2004, 5 major card brands (Visa, MasterCard, JCB, American Express and Discover*) joined forces to form the Payment Card Industry Security Standards Council (PCI SSC) and produced PCI DSS version 1 to help businesses process card payments securely and reduce card fraud.  Since that time there have been various iterations of the Standard with the latest version (4.0) being released on31 March 2022 providing a set of baseline controls that is expected to be complied with by all organisations processing payment card data.  .

When we refer to payment card data, however, a distinction is made between the storing, processing or transmitting of cardholder data (CHD) and sensitive authentication data (SAD).  Here, we look at the differences and the extra PCI DSS requirements which apply to SAD.

*In 2020, UnionPay joined the founding 5 brands as a strategic partner on the Payment Card Industry Security Standards Council (PCI SSC)

CHD vs. SAD

The PCI DSS considers CHD and SAD as account data.  CHD consists of a full primary account number (PAN) plus any of the following: cardholder name, expiration date and service code.  It is worth noting that storage requirements of the PCI DSS apply to the PAN and the other data if it is stored in conjunction with the PAN.  If you only store the other data without the PAN, then the storage requirements do not apply

SAD consists of the track data in the magnetic strip, the PIN and PIN block data stored in the chip and the verification code.  Due to the different card brand naming conventions, the verification code is variously referred to as ‘card verification value’ (CVV2), ‘card authentication value’ (CAV2), ‘card verification code’ (CVC2) and ‘card identification number (CID).  Visa uses the term CVV2, JCB uses CAV2, MasterCard uses CVC2 and American Express and Discovery both use CID.

For Discover, JCB, MasterCard and Visa payment cards, card verification values or codes are the rightmost 3-digit value printed in the signature panel on the reverse of the card.  For American Express payment cards, the code is a 3-digit, unembossed number printed above the PAN on the face of the payment cards.  The code is uniquely associated with each individual card and ties the PAN to the card.

With SAD, the PCI DSS places extra security requirements.  Most significantly, unless issuers or issuing organisations have a legitimate business need to store the authentication data, SAD must never be stored after authorisation, even if encrypted.  This applies even where there is no PAN in the environment.  Organisations should also contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorisation, for how long, and any related usage and protection requirements.

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for help preparing for a PCI DSS assessment?

As a PCI QSA, URM can assist you with a range of services, including conducting gap analyses, helping you reduce your CDE scope and conducting penetration tests.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
PCI DSS – The Payment Card Data Security Standard – What is it?

Often referred to as the PCI DSS or quite simply PCI, the Standard was developed by the founding payment brands....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/8/2022
PCI DSS: Pros and Cons of Outsourcing

In this blog, we address one of the big questions facing organisations which accept payment cards....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
21/11/2023
How to Meet Key New PCI DSS 4.0 Requirements

Meeting the new payment page requirements in PCI DSS v4.0 may seem tricky. URM provides detailed guidance on implementation and effective payment page security.

Read more
Moving from our existing Pen Testers after 10 years was a difficult decision but I am really glad we did. It's been a pleasure working with you. The Pen Testing was extremely thorough and as hoped you were open to a collaborative deeper delve, far beyond what we were required to do for PCI DSS, which has been very useful.
Payment Service Provider
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.