PCI Security
Standards
Data Storage Requirments
Requirement three of the Payment Card Industry’s Data Security Standard (PCI DSS) focuses on protecting stored cardholder data. This requirement only applies to merchants who store cardholder information. Merchants who do not store cardholder data are automatically a more secure company and are further protected from a security breach.
Business who do have a legitimate business reason to store cardholder information are required to have further security protections in place to defend against leaking the sensitive data. Cardholder data includes all information stored on a customer’s payment card – cardholder name, primary account number (PAN), expiration date, and information stored on the magnetic stripe. If your company has a justifiable business need for storing cardholder information, please refer to the following requirements from the PCI Security Standards for protecting the cardholder data:
Cardholder data that may be stored in adherence with the PCI DSS Requirement 3 guidelines only in strongly encrypted format and rendered unreadable:
- Primary Account Number
- Cardholder Name
- Service Code
- Expiration Date
Cardholder data that cannot be stored under any circumstances:
- Full magnetic Stripe Data
- CAV2/CVC2/CVV2/CID
- PIN
Protecting Payment Card Information
Merchants storing the customer’s Primary Account Number (PAN) are required by PCI Security Standards to save this information in an unreadable format. The subsequent software are recommended by the Payment Card Industry to meet this requirement:
- Hash-index including strong cryptography: shows index data of where the records of sensitive information are located within the database
- Truncation: only displays a segment of the sensitive information (such as showing only the last four of the Primary Account Number)
- Index tokens and stored pads: encryption technology that combines sensitive data with a random key or pad
- Strong cryptography