PCI DSS Applicability Information

 

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.

Cardholder data and sensitive authentication data are defined as follows:

Account Data
Cardholder Data includes: Sensitive Authentication Data includes:
  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Service Code
  • Full track data (magnetic-stripe data or equivalent on a chip)
  • CAV2 / CVC2 / CVV2 / CID
  • PINs / PIN blocks

The primary account number is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with applicable PCI DSS requirements.

PCI DSS requirements apply to organizations where account data (cardholder data and/or sensitive authentication data) is stored, processed or transmitted. Some PCI DSS requirements may also be applicable to organizations that have outsourced their payment operations or management of their CDE1. Additionally, organizations that outsource their CDE or payment operations to third parties are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements.

The table below illustrates commonly used elements of cardholder and sensitive authentication data, whether storage of each data element is permitted or prohibited, and whether each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.

Data Element Storage Permitted Render Stored Data Unreadable per Requirement 3.4
Account Data Cardholder Data Primary Account Number (PAN) Yes Yes
Cardholder Name Yes No
Service Code Yes No
Expiration Date Yes No
Sensitive Authentication Data2 Full Track Data3 No Cannot store per Requirement 3.2
CAV2 / CVC2 / CVV2 / CID4 No Cannot store per Requirement 3.2
PIN / PIN Block5 No Cannot store per Requirement 3.2

PCI DSS Requirements 3.3 and 3.4 apply only to PAN. If PAN is stored with other elements of cardholder data, only the PAN must be rendered unreadable according to PCI DSS Requirement 3.4.

Sensitive authentication data must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment. Organizations should contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorization, for how long, and any related usage and protection requirements.

1 In accordance with individual payment brand compliance programs
2 Sensitive authentication data must not be stored after authorization (even if encrypted).
3 Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere
4 The three- or four-digit value printed on the front or back of a payment card
5 Personal identification number entered by cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message