Storing cardholder data is one of the many "areas" that are examined in a Payment Card Industry (PCI) Data Security Standards (DSS) assessment. There are many guidelines as to what CAN and CANNOT be stored for cardholder data, but before we even elaborate on that, if your organization is a merchant or service provider and you need to become PCI compliant, then it is time to identify your "transaction volume" for payment cards to see what level you fall into. Once you've accomplished this, then you can start to look at the requirements for PCI DSS, one being the storing of cardholder data. So, generally speaking (because there are some exceptions which can be allowed based on compelling business reasons or justifications) here is what you CAN and CANNOT store regarding cardholder data:
Regarding cardholder data, this is what you CAN store, but it also MUST be protected: The Primary Account Number (PAN), the cardholder name, the service code, along with the expiration date.
Now, here is what you CANNOT or SHOULD NOT be storing: Full Magnetic Stripe/Track Data, CVC2, CVV2, CID, CAV2 (the numbers that merchant will often ask to help complete and authorize the transaction, you know, those secret numbers on your card), and finally you cannot store PIN/PIN block data. As i said earlier, a compelling business reason or justification for storage of some of this critical and sensitive information may be allowed, but not until an analysis is done by an PCI QSA or some other payment brand expert in the field.
Payment Card Industry PCI Compliance and Scope.A grey area that can use much clarification regarding Payment Card Industry Data Security Standards Compliance, simply known as PCI DSS to many, is the ability to conceptually understand what the scope of a PCI DSS actually is. According to the PCI DSS standards, scope is relevant to the “cardholder” environment and would only include the cardholder environment IF adequate network segregation/segmentation is in place.
In essence, if you have essentially “carved out” and isolated the cardholder environment, then that is the scope. However, if the cardholder environment is meshed and configured into your overall network environment, then the scope would grow substantially.
Why? Because if you (i.e., Any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data) cannot confirm and ensure your cardholder environment is isolated, then an assessment for PCI DSS compliance would invariably include all “system components” associated with that cardholder environment.
To learn more about Payment Card Industry PCI Compliance and becoming PCI DSS compliant, please contact NDB, Advisory.
Many merchants or service providers having to comply with the Payment Card Industry Data Security Standards, commonly known as PCI DSS, actually think it’s a law or a regulation. It’s not.
PCI DSS is an approved standard put forth and supported by the major payment brands, such as VISA, Mastercard, American Express, JCB, Discover, SOX, GLBA, HIPAA. However, some states, such as Minnesota, have actually codified various parts of the PCI DSS standard into law, such as the Minnesota Plastic Card Security Act.
To learn more about the Payment Card Industry Data Security Standards and becoming PCI DSS compliant, please contact NDB, Advisory.