PCI compliance entails handling the right pieces of credit card data. But you shouldn’t include all the details on credit cards in your storage.
PCI DSS requirements state that you should not include sensitive authentication data in your reports. You can use general cardholder data, but you must also have limits on how you’re managing the content you collect.
All PCI data storage rules work alongside the third PCI DSS requirement. The third rule states that you must secure all data stored in your servers, networks, and other spaces. Part of the security includes ensuring you secure the right pieces of data. The work can also go alongside the fourth PCI requirement, which entails protecting cardholder data that moves over an open network through encryption systems and firewalls.
Cardholder Data You Can Secure
PCI requirements say you can store various pieces of data that can work for your needs. You can include these four points:
- Primary Account Number
The Primary Account Number is the main sixteen-digit number you will find on the front of a card. It includes the major industry identifier for the card, the issuer or bank identification number, the account identifier, and a checksum. The details highlight the issuing bank and include a unique term that specifies who holds the card.
The PAN can be held as necessary, but it also needs to be encrypted when moving over a public network. The system can include tokenization to encrypt the data while also keeping you from storing as much data.
- Cardholder Name
The cardholder’s name should be the same as what’s on the physical card.
- Service Code
The service code lists acceptance requirements and limits. It works mainly for magnetic stripe-based cards.
The service code dictates what network the card uses and what transaction types it supports. Some codes may link to reward programs that some issuing banks provide to customers.
- Expiration Date
Every credit card expires after a while. Your database can use the expiration date to determine when a card can no longer be accepted for any reason.
What You Cannot Store As PCI Data
The specific items you should not store as PCI data are the sensitive pieces of authentication data that link to an account. These specific points include:
- Magnetic Stripe Data
A magstripe card will produce an impression that features small gaps and openings that identify a card. Data thieves can use the magstripe info to create counterfeit cards that can work on magstripe systems.
You must avoid storing magstripe data to prevent potential data theft. While magstripe cards are becoming less common, they are still common enough to where you’ll need to protect the cardholder’s data.
The Card Verification Value or CVV is a short digit value that appears in small characters on the user’s card. It can also be called a CID or CAV, depending on who issues the card. The customer must enter one’s CVV for a card-not-present transaction to confirm that person has physical access to the card.
By not listing the CVV in your data, you are reducing the potential for someone to complete a CNP payment if one manages to gather someone else’s card data. The work ensures only the person who physically has the card in hand can complete the transaction.
The Personal Identification Number is common on debit cards. A PIN is necessary for confirming a person’s identity when trying to use a debit card.
You must avoid storing PINs when collecting debit card data. Avoiding storing a PIN reduces the customer’s security risk. There’s always a chance a customer could change one’s PIN after a while, so you’re also hedging any possible changes that might occur here.
Why Have Data Limits?
The limits on how much data you can collect entail reducing the risk of credit card fraud. Let’s say that your credit card storage info was breached in some form, while your business can meet PCI standards, vulnerabilities and attacks can shift and change after a while. The risk of a breach never truly goes away.
By using proper PCI data storage rules, this will keep from exposing too much card data at a time. Specific things like a CVV or PIN will not be made available to a thief, thus making it harder for that person to try and use a card. With so many websites collecting these details to confirm transactions, it would be impossible for someone to use a card if that person cannot gather every bit of detail on a card.
Is It Necessary To Store the Data?
Look at whether you’ll require the cardholder data you wish to gather before storing anything. You can retain cardholder data when authorized for doing so, but all data must still remain protected and encrypted.
The most essential part here involves whether the data is necessary. Think about whether you’ll have a need for certain data pieces after a while. Do not store whatever items you feel will be unnecessary. By not storing these items, you are reducing the amount of content that could be exposed in a data breach.
Always Use the Right Methods For Handling Data
Be certain when managing cardholder data that you use the right standards for work:
- Always use the proper encryption and tokenization methods for protecting data.
- Never store any content that is not authorized for PCI use.
- Do not share cardholder data with unauthorized parties. All data must be available on a need-to-know basis.
- Keep logs that list all the times people access your cardholder data, including reports on which people are authorized for doing so.
- Use the appropriate physical barriers for protecting cardholder data. These limits include helping you keep all servers, storage spaces, and other features from being made open.
PCI compliance is critical to your success, especially when preventing liability issues. Watch for how well you store your data in any situation.