PCI Security Standards Data Storage Requirements

Data Storage

Requirement three of the Payment Card Industry's Data Security Standard (PCI DSS) focuses on protecting stored cardholder data. This requirement only applies to merchants who store cardholder information. Merchants who do not store cardholder data are automatically a more secure company and are further protected from a security breach.

Business who do have a legitimate business reason to store cardholder information are required to have further security protections in place to defend against leaking the sensitive data. Cardholder data includes all information stored on a customer’s payment card – cardholder name, primary account number (PAN), expiration date, and information stored on the magnetic stripe. If your company has a justifiable business need for storing cardholder information, please refer to the following requirements from PCI DSS for protecting the cardholder data:

Cardholder data that may be stored in adherence with the PCI DSS Requirement 3 guidelines only in strongly encrypted format and rendered unreadable:

  • Primary Account Number
  • Cardholder Name
  • Service Code
  • Expiration Date

Cardholder data that cannot be stored under any circumstances:

  • Full magnetic Stripe Data
  • CAV2/CVC2/CVV2/CID
  • PIN

Protecting Payment Card Information

Merchant’s storing the customer’s Primary Account Number (PAN) are required by PCI DSS standards to save this information in an unreadable format. The subsequent software are recommended by the Payment Card Industry to meet this requirement:

  1. Hash-index including strong cryptography: shows index data of where the records of sensitive information are located within the database
  2. Truncation: only displays a segment of the sensitive information (such as showing only the last four of the Primary Account Number)
  3. Index tokens and stored pads: encryption technology that combines sensitive data with a random key or pad
  4. Strong cryptography

The following displays the basic requirements of storing cardholder information:

Data Do's Data Dont's
Do use cryptography to protect the cardholder data that you store Do not save cardholder data in an unsecure device, such as laptops or cell phones
Do understand the entire transaction process and where the credit card information travels electronically when a card is processed Do not have the PIN entry device print out personal cardholder information
Do make sure that your payment applications meet PCI compliance standards. Do not keep authentication data stored on the customer’s payment card chip or magnetic stripe.
Do store cardholder data if you have a valid business need to save this information. Do not store cardholder data unless you have a justifiable business need to store the information.
Do make sure the data is secured in a protective environment. Do not allow anyone except authorized personnel to access stored cardholder data.
Do make certain that third parties who process your credit card payments understand and comply with all PCI DSS, PED, and PA-DSS standards. Do not use payment card system storage devices that are not stored in a locked and protected access room.
Do give each administrator a unique password and ID. Do not store the validation code after authorization.