BY Stephen Cavey | 23 March 2022
Payment card data is an important topic for merchants; if they handle credit card data within their business, chances are it is being stored unknowingly on their devices and systems. Any business that stores, transmits, or processes payment card transactions needs to be familiar with PCI DSS compliance and know how to safely handle payment card information. PCI DSS is a comprehensive set of requirements to ensure the security and safety of payment card transactions. The overarching rule is that unless you have a legitimate reason to store cardholder data, don’t.
Under the PCI DSS, there are 2 key areas of data that need to be protected:
1. Cardholder Data
Cardholder Data (CHD) is the most basic form of data that must be protected under the PCI DSS. It’s defined by all of the various PCI standards as the Full Payment Account Number (PAN) which is the 13 – 19 digit card number you will find on any payment card.
Cardholder Data is also considered as the full PAN plus any of the following elements:
2. Sensitive Account Data (SAD)
SAD is defined by the PCI Security Standards Council (PCI SSC) as Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks usually within transaction data) used to authenticate cardholders and/or authorize payment card transactions.
In more specific terms, SAD can be broken down into the following;
i) Magnetic Stripe Data
The magnetic stripe is traditionally on the back of a card and is encoded with a variety of data elements including the full PAN,
On the back of a payment card, the magnetic stripe includes sensitive elements. Depending on the card brand that issues the card, the SAD can include:
The exact contents encoded onto a magnetic stripe follow a consistent layout across all payment card brands.
ii) Printed Security Features
On the back of each card, printed security features are visible including a 3 digit value printed on Discovery, JCB, Mastercard, and Visa cards, or a 4 digit unembossed value on the front or 3 digit value on the back of American Express cards.
Just like the magnetic stripe SAD, the name of this value depends on the card brand:
iii) PIN / PIN Block Data
PIN and PIN block data will be present when a PIN is used as part of authenticating a transaction. It is most commonly seen within debit transactions. The PIN data is contained within the transaction message associated with a payment that secure payment terminals, payment processors, acquirers, and issuers will store, transmit, or process. Most merchants would usually not need to take any additional steps provided they are using a compliant PIN entry device / POS terminal. However, payment processors, acquirers, and issuers would often have to prove that no PIN / PIN block data is present during a PCI assessment as part of validating end-to-end transaction encryption between the merchant device and the card issuer.
Organizations that verify designated cardholder data can store it and are allowed to do so within the limits of the law. The information that you are allowed to store is the same as what is usually featured on the face of a bank card: the 16-digit main account number, cardholder name, service code, and expiration date. These should all be encrypted to ensure cyber-secure storage.
The PCI standards are very clear that an organization may not store Prohibited Data however what exactly is Prohibited Data?
Sensitive authentication data (SAD) on the magnetic stripe or the EMV chip of a card must never be stored. SAD also includes the CVV (or equivalent data) as well as the PIN and PIN block. This data is extremely valuable to attackers for use in both card-present and card-not-present environments.
All merchants must have an awareness of the 12 PCI DSS compliance requirements, however, their main focus should be on Requirement 3, which makes sure that merchants protect stored cardholder data. The public assumes merchants and financial institutions will stop the unauthorized use of card information, but knowing the ins and outs of the requirement helps both parties ensure compliance.
Within the requirement are these extra clauses:
Safely storing the information collected as a result of credit card transactions begins with having a deep understanding of where all of this data resides. Making a data discovery tool part of your greater PCI DSS compliance plan can help your business understand exactly what data it’s storing and where.
If you are not sure where you are storing sensitive card data or even what data you are storing, Ground Labs serves as a comprehensive and trusted partner to organizations who conduct payment processing. Ground Labs Enterprise Recon PCI solution is the global leader in PCI scanning. It allows organizations to discover and remediate sensitive cardholder information and over 300 data types including sensitive, personal and confidential data across an organization’s entire network. The remediation functions are available to mask, encrypt or delete sensitive data and is an effective solution to help organizations achieve and maintain PCI DSS compliance.
Have questions about PCI compliance or are curious to learn more about Enterprise Recon PCI? Schedule a demo with one of our PCI data discovery experts today.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.