Blog Post
How to safely store credit card information and achieve PCI compliance
Payment card data is an important topic for merchants; if they handle credit card data within their business, chances are it is being stored unknowingly on their devices and systems. Any business that stores, transmits, or processes payment card transactions needs to be familiar with PCI DSS compliance and know how to safely handle payment card information. PCI DSS is a comprehensive set of requirements to ensure the security and safety of payment card transactions. The overarching rule is that unless you have a legitimate reason to store cardholder data, don’t.
Data that requires protection under PCI DSS
Under the PCI DSS, there are 2 key areas of data that need to be protected:
1. Cardholder Data
Cardholder Data (CHD) is the most basic form of data that must be protected under the PCI DSS. It’s defined by all of the various PCI standards as the Full Payment Account Number (PAN) which is the 13 - 19 digit card number you will find on any payment card.
Cardholder Data is also considered as the full PAN plus any of the following elements:
- Cardholder name
- Expiration date
- Service code
2. Sensitive Account Data (SAD)
SAD is defined by the PCI Security Standards Council (PCI SSC) as Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks usually within transaction data) used to authenticate cardholders and/or authorize payment card transactions.
It is prohibited to store any Sensitive Authentication Data after the transaction is authorized, even if the data is encrypted. |
In more specific terms, SAD can be broken down into the following;
i) Magnetic Stripe Data
The magnetic stripe is traditionally on the back of a card and is encoded with a variety of data elements including the full PAN,
On the back of a payment card, the magnetic stripe includes sensitive elements. Depending on the card brand that issues the card, the SAD can include:
- American Express - Card Security Code (CSC)
- China Union Pay (中国银联) - Card Validation Number (CVN)
- JCB - Card Authentication Value (CAV)
- Mastercard - Card Validation Code (CVC)
- Visa - Card Verification Value (CVV)
The exact contents encoded onto a magnetic stripe follow a consistent layout across all payment card brands.
ii) Printed Security Features
On the back of each card, printed security features are visible including a 3 digit value printed on Discovery, JCB, Mastercard, and Visa cards, or a 4 digit unembossed value on the front or 3 digit value on the back of American Express cards.
Just like the magnetic stripe SAD, the name of this value depends on the card brand:
- American Express - Card Identification Number (CID)
- China Union Pay (中国银联) - Card Validation Number 2 (CVN2)
- JCB - Card Authentication Value 2 (CAV2)
- Mastercard - Card Validation Code 2 (CVC2)
- Visa - Card Verification Value 2 (CVV2)
iii) PIN / PIN Block Data
PIN and PIN block data will be present when a PIN is used as part of authenticating a transaction. It is most commonly seen within debit transactions. The PIN data is contained within the transaction message associated with a payment that secure payment terminals, payment processors, acquirers, and issuers will store, transmit, or process. Most merchants would usually not need to take any additional steps provided they are using a compliant PIN entry device / POS terminal. However, payment processors, acquirers, and issuers would often have to prove that no PIN / PIN block data is present during a PCI assessment as part of validating end-to-end transaction encryption between the merchant device and the card issuer.
What type of credit card information can businesses store?
Organizations that verify designated cardholder data can store it and are allowed to do so within the limits of the law. The information that you are allowed to store is the same as what is usually featured on the face of a bank card: the 16-digit main account number, cardholder name, service code, and expiration date. These should all be encrypted to ensure cyber-secure storage.
What types of credit card information can businesses not store?
The PCI standards are very clear that an organization may not store Prohibited Data however what exactly is Prohibited Data?
Sensitive authentication data (SAD) on the magnetic stripe or the EMV chip of a card must never be stored. SAD also includes the CVV (or equivalent data) as well as the PIN and PIN block. This data is extremely valuable to attackers for use in both card-present and card-not-present environments.
Aligning credit card storage and achieving PCI compliance
All merchants must have an awareness of the 12 PCI DSS compliance requirements, however, their main focus should be on Requirement 3, which makes sure that merchants protect stored cardholder data. The public assumes merchants and financial institutions will stop the unauthorized use of card information, but knowing the ins and outs of the requirement helps both parties ensure compliance.
Within the requirement are these extra clauses:
- 3.1: This outlines the methodology necessary to ensure that cardholder data is limited to that which is necessary for legal, regulatory, or business needs.
- 3.2: This states that Sensitive Authentication Data (SAD) cannot be stored after authorization, even if it is encrypted.
- 3.3: This requires that the 16-digit Primary Account Number (PAN) must be masked when displayed.
- 3.4: This dictates that if the storage of PAN is unavoidable, that data must be rendered unreadable wherever it is stored.
- 3.5: This expands upon the use of cryptography and requires that validating entities take the necessary steps to protect encryption keys from disclosure and misuse and document those procedures.
- 3.6: Key management processes for the use of cryptographic keys must be fully documented according to this clause.
Confirm you’re storing cardholder data safely with data discovery
Safely storing the information collected as a result of credit card transactions begins with having a deep understanding of where all of this data resides. Making a data discovery tool part of your greater PCI DSS compliance plan can help your business understand exactly what data it’s storing and where.
If you are not sure where you are storing sensitive card data or even what data you are storing, Ground Labs serves as a comprehensive and trusted partner to organizations who conduct payment processing. Ground Labs Enterprise Recon PCI solution is the global leader in PCI scanning. It allows organizations to discover and remediate sensitive cardholder information and over 300 data types including sensitive, personal and confidential data across an organization’s entire network. The remediation functions are available to mask, encrypt or delete sensitive data and is an effective solution to help organizations achieve and maintain PCI DSS compliance.
Have questions about PCI compliance or are curious to learn more about Enterprise Recon PCI? Schedule a demo with one of our PCI data discovery experts today.