Posted: June 26, 2017
A common misunderstanding many organizations and IT professionals have is thinking that cardholder data is limited to the Primary Account Number (PAN) and the (Card Verification Value) CVV codes found on the card. However, this is not the case.
Watch the short video below to find out what is considered cardholder data under the PCI security standards.
Cardholder data is any personally identifiable information (PII) associated with a cardholder. Cardholder data also includes the cardholder’s name, the expiration date of the card and sensitive authentication data. A common misconception is that all of these elements must be encrypted when stored. Only the PAN has to be encrypted when at rest. On the other hand, sensitive authentication data can never be stored, unless for the purposes of issues cards.
The cardholder’s name, and expiration date can be stored without encryption. When considering the storage of cardholder data, the PAN is the defining factor. Thus, a cardholder’s name and/or expiration date stored absent of the PAN is not considered to be cardholder data.
Properly securing cardholder data is essential for PCI compliance. If you have any questions regarding PCI compliance or any other compliance or data security issues, please feel free to reach out to us at firstname.lastname@example.org.
Matt Crane is a Security Consultant at CompliancePoint. Matt’s primary focus is on PCI-DSS compliance, NIST 800-53 assessment framework, NIST Cyber Security Framework, Minimum Acceptable Risks for State Exchange (MARS-E) auditing, and Physical Security. He is a Certified Information Systems Auditor (CISA), Qualified Security Assessor (QSA), Payment Card Industry Professional (PCIP), and Certified Federal IT Security Professional Auditor (FITSP-A). Matt also earned a B.B.A. in Information Security and Assurance from Kennesaw State University.