Can I Store Cardholder Data?

This article aims to clarify the requirements imposed by PCI DSS compliance, the Payment Card Industry Data Security Standard (PCI DSS), concerning the safeguarding of cardholder data (CHD) and specifically, sensitive authentication data (SAD).

Let's begin with a brief overview. The PCI DSS serves as an information security standard for organizations that handle the storage, processing, and/or transmission of payment card data. Back in 2004, five major card brands (Visa, MasterCard, JCB, American Express, and Discover*) collaborated to establish the Payment Card Industry Security Standards Council (PCI SSC). Their objective was to develop PCI DSS version 1, which aimed to assist businesses in securely processing card payments and minimizing card fraud. Over time, the Standard has evolved, and the latest version (4.0) was released on March 31, 2022. It outlines a set of fundamental controls that all organizations processing payment card data are expected to adhere to.

However, it is important to note that when referring to payment card data, a distinction is made between the storage, processing, or transmission of cardholder data (CHD) and sensitive authentication data (SAD). In this article, we will explore the disparities between the two and highlight the additional PCI DSS requirements that apply specifically to SAD.

*In 2020, UnionPay became a strategic partner of the Payment Card Industry Security Standards Council (PCI SSC), joining the original five brands.

CHD vs. SAD

The Payment Card Industry Data Security Standard (PCI DSS) classifies both cardholder data (CHD) and sensitive authentication data (SAD) as account data. CHD includes a complete primary account number (PAN) along with cardholder name, expiration date, and service code, if stored together with the PAN. It is important to note that the PCI DSS storage requirements pertain to the PAN and the associated data. If only the other data is stored without the PAN, the storage requirements do not apply.

SAD comprises the track data present in the magnetic strip, the PIN and PIN block data stored in the chip, and the verification code. Different card brands use varying terms to refer to the verification code, such as 'card verification value' (CVV2), 'card authentication value' (CAV2), 'card verification code' (CVC2), and 'card identification number' (CID). CVV2 is used by Visa, CAV2 by JCB, CVC2 by MasterCard, and CID by American Express and Discover.

For Discover, JCB, MasterCard, and Visa payment cards, the card verification values or codes are the three-digit values printed on the signature panel at the back of the card. In the case of American Express payment cards, the code is a three-digit, unembossed number printed above the PAN on the front of the card. This code is unique to each card and links the PAN to the card.

Regarding SAD, the PCI DSS audit imposes additional security requirements. Most notably, unless issuers or issuing organizations have a legitimate business need to store the authentication data, SAD must never be stored after authorization, even if encrypted. This requirement applies even if there is no PAN in the environment. Organizations need to consult their acquirer or individual payment brands directly to understand if storing SAD prior to authorization is allowed, the permitted duration of storage, and any associated usage and protection requirements.