Skip to main content
Skip table of contents

Cardholder Data

PCI DSS

The Payment Card Industry Data Security Standards (PCI DSS) is an information security standard designed to ensure that companies processing, storing or transmitting payment card information maintain a secure environment.

The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.

The standard was created to increase controls around cardholder data to reduce credit card fraud by ensuring businesses follow best practices for protecting their customers’ credit card information. Businesses fitting one (1) or more of the following criteria are subject to the PCI DSS requirements:

  • A business that accepts credit or debit cards for payment, even if using a third-party vendor’s hardware, software or application to do so;

  • A service provider that stores credit/debit card data on behalf of another business; and/or

  • A hosting provider or other service provider that processes or transmits credit/debit card data on behalf of another business.

What Is Cardholder Data?

Cardholder data (CD) is any information associated with a person in possession of a credit or debit card. Cardholder data includes the primary account number (PAN) along with the cardholder's name, expiration date and service code.

Primary Account Number
Also known as the Card Number, the digit number printed on the front of the credit or debit card.

Expiration Date
The card expiry date printed on the front of the credit or debit card.

Cardholder Name
The name of the holder of the credit or debit card, printed on the front of the card.

Sensitive Authentication Data
In addition to cardholder data, payment cards are also encoded with special information known as Sensitive Authentication Data (SAD). Sensitive Authentication Data is the information on a payment card used for authentication at the time of purchase. SAD include:

  • Full magnetic stripe

  • Card security code (CSC, CVV2, CID, CAV2)

  • PIN and/or PIN block

Protect Stored Cardholder Data

PCI applies to all merchants who process, store or transmit cardholder data. The standard allows
for the storage of cardholder data provided that:

  • There is a justified business reason for storing it, and

  • Strict security measures are applied to it

What is meant by "Store"?

In the context of PCI, stored cardholder data means stored anywhere in any format:

  • In databases

  • In emails

  • On computers

  • On mobile devices

  • In paper documents such as credit card receipts

If data is encrypted the following is allowed to be stored:

  • Primary Account Number (e.g. 16 digit number on the front of card)

  • Cardholder Name (e.g. John Smith)

  • Expiration date (e.g. 05/25)

  • Service code

The data on a physical card is unable to be seen as it resides in the magnetic strip.

Even if data is encrypted, you can never store:

  • Sensitive authentication data (i.e., full magnetic stripe info)

  • Card Validation Value (CVV) i.e. the 3-4 digit service or card security code

  • PIN / PIN block (i.e. the encrypted PIN)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.