Change language:

Securing payment card data


Payment card industry data security standard and sensitive card data


Payment Card Industry Data Security Standard (PCI DSS) is the main document which defines payment card data security principles. In 2004 biggest international card schemes VISA International, MasterCard Worldwide, American Express, Discovery Financial Services and JCB International jointed their forces and efforts to protect payment card data and established Payment Card Industry Security Standards Council (PCI SSC) which released firs version of PCI DSS later that year. Payment Card Industry Data Security Standard is a live, evolving set of rules and recommendations which is changing constantly to address most recent threats and risk to card data.

Latest standard version

PCI DSS applies to all entities involved in payment card processing (i.e. merchants). PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.

Cardholder data and/or sensitive authentication data

Data Data Element Storage Permitted Render Stored Data Unreadable

Cardholder Data

Primary Account Number (PAN) Yes Yes*
Cardholder Name Yes No
Service Code Yes No
Expiration Date Yes No

Sensitive Authentication Data

Full Track Data (Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere) No
PIN/PIN Block No

* Standard requires that the PAN must be rendered unreadable.

Sensitive authentication data must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment. Organizations should contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorization, for how long, and any related usage and protection requirements.

The standard includes high level 12 requirements. There are six main goals which are aimed to be archived if merchant adhere to all standard requirements.

PCI DSS requirements and goals

Goal PCI DSS Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel