Can Cardholder Data be Stored Without Involving PCI Scope? (2024)

ACI Blog

Airlines, Fueling and Convenience, Gaming and Digital Entertainment, Grocery, Hotels, Payment Service Providers, Restaurants, Retailer, , ACI Payments Orchestration Platform, Merchants

Is it possible to store cardholder data without PCI scope? The short answer is no, but that doesn’t mean you cannot store a reference to it. Let me explain.

The Payment Card Industry’s Data Security Standard (PCI DSS) suggests that anyone handling sensitive cardholder data not store it in the clear unless it is absolutely necessary. With current technologies and processes available, it is never “absolutely necessary,” so merchants (or PSPs) should never have cardholder data in the clear – not during transmission and never stored anywhere hackers could gain access.

The issue is that today’s consumers want one-click or invisible payments. So, how can merchants securely facilitate these transactions without storing cardholder data?

PCI DSS is defined by 12 requirements, further divided into 220 sub-requirements. For the purposes of this discussion, we will focus on requirement 3. Requirement 3 of PCI DSS is to “protect stored cardholder data.” If cardholder data is to be retained, PCI compliance requirements dictate that cardholder data must be rendered unreadable using industry-standard techniques.

PCI is assuming there is a need to store cardholder data to authorize additional transactions with customers; you can learn more about what can be stored and what should never be stored in the table below:

Can Cardholder Data be Stored Without Involving PCI Scope? (1)

Table 1: PCI Security Standards Council: PCI Data Storage Do’s and Don’ts

Ultimately, the primary account number (PAN) must always be protected and masked when shown. Making PAN data unreadable means that the data becomes virtually useless to fraudsters. Additional cardholder data including cardholder name, service code and expiration date must be protected if stored with the PAN. All sensitive authentication data (CVV, PIN and everything on the MAG stripe) must never be stored.

PCI DSS requirement 3.4 provides several options for making the PAN data unreadable, including:

  • Strong cryptography-based one-way hashes where all PAN must be hashed
  • Truncation that stores a PAN section (must not exceed the first six and last four digits)
  • Tokenization, which holds a replacement or proxy for the PAN
  • Strong cryptography focusing on key management processes and security procedures

Merchants who plan to use stored PANs should make the data unreadable using encryption or tokenization. PCI DSS requires the use of keys and tokens, such as a cryptographic token, which replaces a PAN for an unknown value based on a specific directory.

Many of the other sections of PCI DSS Requirement 3 involve the cryptographic process, which includes generating, documenting and managing of cryptographic keys. While encryption is an excellent securing method, it is cumbersome to say the least, and best used for transmitting sensitive information rather than storing and utilizing stored cardholder data. Tokens are a better choice, as they can be stored in the same form (16-digits) and can be partially masked. This means you can create a secure token that leaves the part of the PAN unchanged. If the first 6 digits that represent the BIN (bank identification number) is unchanged, routing and reporting can be improved. Many merchants choose not to change the last 4 digits of the card number as well. This is useful for verification and customer service. Leaving part of a token unchanged makes the tokens both secure and useful.

In reference to tokens, there are both reversible and non-reversible variations. Because there is no good reason to store a token that is not reversable, we will concentrate on reversible tokens.

Reversible tokens have the potential to become a PAN again by the process of de-tokenization. For reversible non-cryptographic tokens, obtaining the PAN from its token can only be done by a data look-up in a secure card data vault (CDV), which would then typically retrieve the PAN from a PAN-to-token table within the vault. An authorized user may obtain the original PAN from its token with a de-tokenization request through an appropriate access control mechanism. Authorized use is best done through a tokenization service provider who is a third-party entity (e.g., a processor, acquirer, or payments gateway) providing tokenization services to other entities (such as merchants).

While you cannot store cardholder data, you can use a tokenization scheme to replace it and store the unique token in your systems, without the system coming into PCI scope.

For more information on how tokenization works, read the blog: A Primer on Tokens, Tokenization, Payment Tokens and Merchant Tokens

Terry Rourke

eCommerce and Omnichannel Merchants - Marketing

Terry is a seasoned marketing professional with over 30 years of experience. While he has worked in payments for only five years, he has experience with both eCommerce and omnichannel merchants as well as with payment intermediaries. He enjoys building and repairing things with his hands and coming up with innovative ideas to solve complex problems.

More Articles from Terry Rourke

Related Posts

MerchantsMove Over EMV – Meet the Real Protectors of Fuel Pump Payments
MerchantsLearn How the Payments Gateway Drives eCommerce and Mobile Commerce
MerchantsMachine Learning: Separating Fact from Fraud Fiction for Merchants

Let’s Talk Payments

Our payment experts are ready to help you tackle your payment challenges. Set some time to speak today!

Contact Us

Can Cardholder Data be Stored Without Involving PCI Scope? (2024)

FAQs

Can Cardholder Data be Stored Without Involving PCI Scope? ›

Is it possible to store cardholder data without PCI scope? The short answer is no, but that doesn't mean you cannot store a reference to it.

What happens if we are not PCI compliant? ›

Being PCI non-compliant can lead to your organization facing fines from payment processors. Fines can range from 5000 to 100,000 a month.

Which statement is true regarding storage of cardholder data? ›

Which statement is true regarding storage of cardholder data? Here's the best way to solve it. The correct answer is: The storage of cardholder data must be strictly limited to what is required...

When storing cardholder data, what data can be stored? ›

If required for business purposes, the cardholder's name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements.

What must you never do and process cardholder data? ›

NEVER acquire or disclose any cardholder's credit card information without the cardholder's consent, including but not limited to:
  • the partial sixteen (16) digit card number.
  • the CVV/CVC (three or four digit validation code on the back of the card)
  • the PIN (personal identification number)

Is PCI compliance mandatory? ›

Handling payment data involves any combination of collecting data, storing it, or transmitting it. While PCI compliance is not legally required throughout the US, credit card companies may fine companies that do not comply or bar them from accepting payments.

Is PCI compliance necessary? ›

Every business, regardless of the number of card transactions processed, must be PCI compliant. The card networks (Visa, Mastercard, American Express, etc.) can be contacted directly for information about their specific PCI compliance programs.

What cardholder data can never be stored? ›

Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions). Never store the personal identification number (PIN) or PIN Block.

Which of the following is not in scope in terms of PCI DSS? ›

What is not required to be in PCI DSS scope? Out-of-scope systems are defined as components, persons, software programs, or network areas that are prohibited from accessing cardholder data, process store or transmitting cardholder data, or affecting the security of those components or systems in any way.

What is cardholder data according to PCI standards? ›

The PCI SSC defines cardholder data as the full Primary Account Number, commonly known by the acronym PAN. In addition to the PAN, “cardholder data can include cardholder name, expiration date, and/or service code”.

What are the PCI masking requirements? ›

PCI Rule 3.3

PCI Requirement 3.3 states that the 16-digit Primary Account Number (PAN) must be masked when displayed. The maximum that can be displayed are the first six and last four digits. The full PAN can only be displayed for those users whose roles include a legitimate business need to view the full PAN.

What is PCI scope reduction? ›

The scope and total PCI burden can be reduced by outsourcing specific portions of your CDE or cardholder data flow. Managed Firewall Services, Log Monitoring and Management, Server Hosting Facilities, and Payment Solutions as Software as a Service are all common examples (SaaS).

Who do PCI DSS requirements apply to? ›

The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.

Does PCI DSS only applies when cardholder information is stored processed or transmitted? ›

PCI Data Security Standard (PCI DSS)

The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data.

What is the fine for PCI non compliance? ›

Usually, you can expect a fine range from $5000 – $50,000, which is variable, and does not include legal and settlement amounts. The exact amount of PCI fines depends on different factors (we will address these factors in this blog). What is PCI DSS, and does it Apply to Your Business?

Who is responsible for PCI compliance? ›

It is generally mandated by credit card companies and discussed in credit card network agreements. The PCI Standards Council (SSC) is responsible for the development of the standards for PCI compliance. Its purpose is to help secure and protect the entire payment card ecosystem.

What is the penalty for violating PCI compliance? ›

Usually, you can expect a fine range from $5000 – $50,000, which is variable, and does not include legal and settlement amounts. The exact amount of PCI fines depends on different factors (we will address these factors in this blog).

Is PCI compliance required by law in US? ›

While not federally mandated in the U.S, the PCI DSS Standard is mandated by the PCI SSC. The council comprises major credit card bands. Some states have even incorporated the PCI DSS into their laws. The latest iteration of the PCI DSS – version 4.0 – was released at the end of March 2022.

Why does PCI compliance matter? ›

First and foremost, PCI DSS compliance helps protect the cardholder data that customers share with you during payment or for management. As cyber threats evolve, it's your responsibility as a business that handles cardholder data to implement the necessary security measures to keep this data secure.

What violates PCI compliance? ›

Some examples of PCI DSS violations include: Keeping credit card information on paper in unlocked or unsecured cabinets. Linking point-of-sale systems to other systems that do not have adequate PCI protection. Insufficiently protecting customer and employee usernames and passwords.

References

Top Articles
Latest Posts
Article information

Author: Virgilio Hermann JD

Last Updated:

Views: 6187

Rating: 4 / 5 (41 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.