Storage Permitted | Storage Permitted | Render Stored Data Unreadable per Requirement 3.4 | |
---|---|---|---|
Cardholder Data | Primary Account Number (PAN) | Yes | Yes |
Cardholder Name | Yes | No | |
Service Code | Yes | No | |
Expiration Date | Yes | No | |
Sensitive Authentication Data | Full Track Data | No | Cannot store per Requirement 3.2 |
CAV2/CVC2/CVV2/CID | No | Cannot store per Requirement 3.2 | |
PIN/PIN Block | No | Cannot store per Requirement 3.2 |
PCI DSS Requirements 3.3 and 3.4 apply only to PAN. If PAN is stored with other elements of cardholder data, only the PAN must be rendered unreadable according to PCI DSS Requirement 3.4.
Sensitive authentication data must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment. Organizations should contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorization, for how long, and any related usage and protection requirements
Requirement 12: Maintain a policy that addresses information security for all personnel.
Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements
i. Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
ii. Specific incident response procedures
iii. Business recovery and continuity procedures
iv. Data backup processes
v. Analysis of legal requirements for reporting compromises
vi. Coverage and responses of all critical system components
vii. Reference or inclusion of incident response procedures from the payment brands