Storage Permitted | Storage Permitted | Render Stored Data Unreadable per Requirement 3.4 | |
---|---|---|---|
Cardholder Data | Primary Account Number (PAN) | Yes | Yes |
Cardholder Name | Yes | No | |
Service Code | Yes | No | |
Expiration Date | Yes | No | |
Sensitive Authentication Data | Full Track Data | No | Cannot store per Requirement 3.2 |
CAV2/CVC2/CVV2/CID | No | Cannot store per Requirement 3.2 | |
PIN/PIN Block | No | Cannot store per Requirement 3.2 |
PCI DSS Requirements 3.3 and 3.4 apply only to PAN. If PAN is stored with other elements of cardholder data, only the PAN must be rendered unreadable according to PCI DSS Requirement 3.4.
Sensitive authentication data must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment. Organizations should contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorization, for how long, and any related usage and protection requirements
Requirement 9: Restrict physical access to cardholder data
i. Make, model of device
ii. Location of device (for example, the address of the site or facility where the device is located)
iii. Device serial number or other method of unique identification
i. Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices
ii. Do not install, replace, or return devices without verification
iii. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices)
iv. Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer)