This is one of our ‘back to basics’ articles, where we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around the protection of cardholder data (CHD) and sensitive authentication data (SAD) in particular.
Bit of a recap first. The PCI DSS is an information security standard for organisations that store, process and/or transmit payment card belonging to one of the five (5) major card brands (Visa, MasterCard, JCB, American Express and Discover). In 2004, these major card brands joined forces and produced version 1 to help businesses process card payments securely and reduce card fraud. Now in 2019, version 3.2.1 of the standard provides a set of baseline controls that is expected to be complied with by all organisations processing payment card data.
When we refer to payment card data however, a differentiation is made between the storing, processing or transmitting of cardholder data (CHD) and sensitive authentication data (SAD). Here, we look at that differentiation and the extra PCI DSS requirements which apply to SAD.
CHD vs. SAD
The PCI DSS considers CHD and SAD as account data. CHD consists of a full primary account number (PAN) plus any of the following: cardholder name, expiration date and service code. Please note that Requirements 3.3 and 3.4 of the PCI DSS only apply to the PAN. If the PAN is stored with other elements of CHD, only the PAN must be rendered unreadable according to PCI DSS requirement 3.4.
Due to the different card brand naming conventions, SAD is also referred to as ‘card verification value’ (CVV2), ‘card authentication value’ (CAV2), ‘card verification code’ (CVC2) and ‘card identification number (CID). Visa uses the term CVV2, JCB uses CAV2, MasterCard uses CVC2 and American Express and Discovery both use CID.
For Discover, JCB, MasterCard and Visa payment cards, card verification values or codes are the rightmost three-digit value printed in the signature panel on the reverse of the card. For American Express payment cards, the code is a four-digit unembossed number printed above the PAN on the face of the payment cards. The code is uniquely associated with each individual card and ties the PAN to the card.
With SAD, the PCI DSS places extra security requirements. Most significantly, SAD must never be stored after authorisation, even if encrypted. This applies even where there is no PAN in the environment. Organisations should also contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorisation, for how long, and any related usage and protection requirements.