The Payment Card Industry Data Security Standards (PCI DSS) is an information security standard designed to ensure that companies processing, storing or transmitting payment card information maintain a secure environment.
The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.
The standard was created to increase controls around cardholder data to reduce credit card fraud by ensuring businesses follow best practices for protecting their customers’ credit card information. Businesses fitting one (1) or more of the following criteria are subject to the PCI DSS requirements:
A business that accepts credit or debit cards for payment, even if using a third-party vendor’s hardware, software or application to do so;
A service provider that stores credit/debit card data on behalf of another business; and/or
A hosting provider or other service provider that processes or transmits credit/debit card data on behalf of another business.
What Is Cardholder Data?
Cardholder data (CD) is any information associated with a person in possession of a credit or debit card. Cardholder data includes the primary account number (PAN) along with the cardholder's name, expiration date and service code.
Primary Account Number
Sensitive Authentication Data
In addition to cardholder data, payment cards are also encoded with special information known as Sensitive Authentication Data (SAD). Sensitive Authentication Data is the information on a payment card used for authentication at the time of purchase. SAD include:
Full magnetic stripe
Card security code (CSC, CVV2, CID, CAV2)
PIN and/or PIN block
Protect Stored Cardholder Data
PCI applies to all merchants who process, store or transmit cardholder data. The standard allows
for the storage of cardholder data provided that:
There is a justified business reason for storing it, and
Strict security measures are applied to it
In the context of PCI, stored cardholder data means stored anywhere in any format:
On mobile devices
In paper documents such as credit card receipts
If data is encrypted the following is allowed to be stored:
Primary Account Number (e.g. 16 digit number on the front of card)
Cardholder Name (e.g. John Smith)
Expiration date (e.g. 05/25)
The data on a physical card is unable to be seen as it resides in the magnetic strip.
Even if data is encrypted, you can never store:
Sensitive authentication data (i.e., full magnetic stripe info)
Card Validation Value (CVV) i.e. the 3-4 digit service or card security code
PIN / PIN block (i.e. the encrypted PIN)