Storing Cardholder Data for PCI DSS Compliance | Expert Advice from a QSA

Storing cardholder data is one of the many “areas” that are examined in a Payment Card Industry (PCI) Data Security Standards (DSS) assessment.  There are many guidelines as to what CAN and CANNOT be stored for cardholder data, but before we even elaborate on that, if your organization is a merchant or service provider and you need to become PCI compliant, then it is time to identify your “transaction volume” for payment cards to see what level you fall into. Once you’ve accomplished this, then you can start to look at the requirements for PCI DSS, one being the storing of cardholder data.  So, generally speaking (because there are some exceptions which can be allowed based on compelling business reasons or justifications) here is what you CAN and CANNOT store regarding cardholder data:

Regarding cardholder data, this is what you CAN store, but it also MUST be protected: The Primary Account Number (PAN), the cardholder name, the service code, along with the expiration date.

Now, here is what you CANNOT or SHOULD NOT be storing: Full Magnetic Stripe/Track Data, CVC2, CVV2, CID, CAV2 (the numbers that merchant will often ask to help complete and authorize the transaction, you know, those secret numbers on your card), and finally you cannot store PIN/PIN block data.  As i said earlier, a compelling business reason or justification for storage of some of this critical and sensitive information may be allowed, but not until an analysis is done by an PCI QSA or some other payment brand expert in the field.

Learn more about storing cardholder data at the PCI Resource Guide