• Q&A
  • What card data is covered by PCI DSS?

What card data is covered by PCI DSS?

Robyn Ferreira

Robyn Ferreira Answered

LinkedIn

If your business handles card payments, it’s likely that you’ve come across the PCI DSS standard. But what exactly does it cover when it comes to card data? Let’s dive in so you can understand exactly what information needs to be protected, why it’s important, and how it is relevant to your business.

What is PCI DSS?

Before going any further, let’s cover the basics.  

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to safeguard cardholder data. With cybersecurity threats on the rise, PCI DSS requirements are meant to help businesses protect their payment systems from financial fraud, data breaches, and theft of cardholder data (CHD). Created by the PCI Security Standards Council (PCI SSC), the PCI DSS certification applies to any organization that processes, stores, and/or transmits credit or debit card information. 

Whether you run an e-commerce site, a physical store, or provide a service that accepts card payments, PCI DSS compliance is vital when it comes to protecting sensitive transaction data and making sure cardholder data is kept safe.

What Card Data Does PCI DSS Protect?

Not all card data is treated the same. PCI DSS outlines specific pieces of cardholder information that need to be secured to prevent unauthorized access or fraud. 

This type of data falls into two categories: 

Cardholder Data

PCI DSS cardholder data refers to the details on a payment card that can be used to identify the cardholder and facilitate a transaction. Under PCI DSS, this information must be protected. 

Here’s what’s included:

  • Primary Account Number (PAN): The unique number on the card, typically 16 digits. It’s the most critical element, and it must always be secured.
  • Cardholder Name: The name of the person responsible for the account, found on the front of the card.
  • Expiration Date: The card’s expiry date in MM/YY format.
  • Service Code: A code that determines what types of transactions the card can be used for (e.g., where and how).

Sensitive Authentication Data

Sensitive Authentication Data (SAD) is required during the authorization process but must never be stored once the transaction is completed. 

This type of data includes:

  • Tracking Data from a Card Chip or Magnetic Stripe: Information on the magnetic stripe or chip used during a transaction.
  • Card Verification Code (CVC/CVV/CID): The three- or four-digit number on the back (or front) of the card used to verify that the cardholder has the physical card.
  • PIN (Personal Identification Number): Used for validating identity during a transaction where the card is present, such as with a debit card.

What Shouldn’t Be Stored?

Although some elements of cardholder data can be retained for business purposes, sensitive authentication data must never be stored after a transaction has been authorized.

To keep things simple, here’s a breakdown of what can and can’t be stored:

  • You can store:
    • Primary Account Number (PAN), if it’s encrypted or truncated
    • Cardholder Name
    • Expiration Date
    • Service Code
  • You cannot store:
    • Full Magnetic Stripe or Chip Data
    • Card Verification Code (CVC/CVV/CID)
    • PIN or PIN block

Why Does PCI DSS Protect These Data Elements?

By now, you’re probably asking why there is so much emphasis on securing these specific PCI data elements

Well, it’s pretty straightforward. Merchants accepting payment cards from PCI SSC members (MasterCard, Visa, American Express, JCB, and Discover) are prime targets for financial fraud. If cardholder or sensitive authentication data ends up in the wrong hands, criminals can make fraudulent purchases, create counterfeit cards, or even sell the information. 

Merchants face data breach risks every time they process or transmit payment data – often due to weak security systems that allow cybercriminals to access sensitive consumer financial data. Vulnerabilities may occur in various areas, including POS devices, wireless hotspots, unsafe data transmissions, or paper-based storage. 

While not legally required, PCI DSS helps businesses reduce the risk of breaches and fraud by ensuring that payment card transactions are as secure as possible.

How Can Your Business Stay Compliant?

If your business handles any cardholder data, you are required to follow PCI DSS guidelines. Below are some key steps to help you ensure PCI DSS compliance:

  • Identify and understand the data you store, process, or transmit.
  • Encrypt cardholder data, especially the Primary Account Number (PAN).
  • Minimize data storage and never store sensitive authentication data.
  • Implement security controls like firewalls and encryption.
  • Regularly monitor and test systems.
  • Restrict access to authorized personnel only.

Does PCI DSS Apply to My Business?

If your business accepts, processes, or stores card data, PCI DSS applies to you, regardless of company size or transaction volume. Even if you outsource payments to a third-party provider, you are still responsible for ensuring they are compliant. 

PCI DSS compliance ensures that you’re doing your part to protect customers’ sensitive information from theft or misuse, fostering trust and preventing potential devastating consequences along the way. Scytale’s compliance automation platform simplifies the process, making it even easier to meet PCI DSS requirements.

Related Questions