All businesses that accept card payments may find it difficult to understand the ins and outs fo payment processing, particularly when it comes to data security. Staying in compliance with the Payment Card Industry Data Security Standard (PCI DSS) means understanding the basics of how cardholder data should be handled. To help guide business owners through the sea of acronyms and technical terms, here is helpful information on what exactly cardholder data is and how to protect it to stay in PCI compliance.
What is Cardholder Data?
Embedded within every debit or credit card transaction is a wealth of data. The Payment Card Industry Security Standards Council (PCI SSC) issues the standards for PCI compliance and seeks to, “enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.”
Simply put, the council aims to safeguard payment data and prevent fraud by establishing standards that must be followed by anyone handling sensitive payment information (i.e., businesses, merchant services providers, etc.).
The PCI SSC defines cardholder data as the full Primary Account Number, commonly known by the acronym PAN. In addition to the PAN, “cardholder data can include cardholder name, expiration date, and/or service code”.
This information is valuable and desirable to bad actors, so encrypting and tokenizing cardholder data is extremely important. The PAN, cardholder name, and card expiration date are the primary components of cardholder data and are easy concepts to comprehend..
However, there are a few other key elements of cardholder data and a number of other terms that are important to understand related to payment processing.
The complete list of terms associated with payment processing codes is expansive. Here are some of the most common terms and acronyms associated with cardholder data.
[2×4 “Dictionary” Table? Or bullets]
CHD simply means Cardholder Data, and is also sometimes shortened to “CD”.
PAN stands for the primary account number and is the unique card number associated with credit and debit cards. The account number identifies both the issuer and cardholder for the account.
PIN stands for Personal Identification Number and is a number known only to the user and system, used to validate debit card and ATM transactions.
Service Codes are the three or four-digit codes following the expiration date of the card and make up a large portion of the PCI “alphabet”. There are a variety of uses for these codes such as differentiating local or international transactions or identifying usage restrictions. These codes are referred to by a number of acronyms, each associated with either data from the magnetic stripe or printed security features on the card.
The codes associated with magnetic stripe data are:
- CAV – Card Authentication Value, used for cards issued by JCB
- PAN CVC – Card Validation Code, used for MasterCard payment cards
- CVV – Card Verification Value, used for Visa and Discover cards
- CSC – Card Security Code, used for American Express payment cards
The various card brands also use a secondary card certification which is printed on the card. For JCB, MasterCard, Discover, and Visa, this is a three-digit code on the signature panel on the back of the card. For American Express, this is a four-digit code above the card number on the front of the card.
These codes are all unique and specifically tied to the PAN:
- CID – Card Identification Number, used for American Express and Discover card payments
- CAV2 – Card Authentication Value 2, used for JCB card payments
- PAN CVC2 – Card Validation Code 2, used for MasterCard card payments
- CVV2 – Card Verification Value 2, used for Visa card payments
A few additional important terms related to PCI compliance include:
CDE – Cardholder Data Environment and refers to,“ people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.”
SAQ – Self-Assessment Questionnaire and is a reporting tool to document results from a PCI DSS assessment.
Truncation – This is the method of making the full PAN unreadable through the removal of a segment of PAN data. This is related to protecting the PAN when stored digitally in databases or files. When displayed or printed, this is called masking.
QSA – Qualified Security Assessor. A QSA is qualified by the PCI SSC to perform on-site assessments to validate if the merchant is in compliance with the PCI DSS.
While there are many more terms associated with payment processing, most businesses would admit they’re not fully versed in all PCI terms and definitions. The fundamentals of protecting cardholder data and staying PCI compliant are ultimately done through using trusted and approved payment processors and implementing secure practices when handling cardholder data.
Clarifying Cardholder Data Misconceptions
Given the wealth of information associated with cardholder debit and credit card data, it’s unsurprising there is some confusion, even in the industry, as to what constitutes cardholder data. Some believe the data is only made up of the PAN and associated security code, but according to the PCI Security Standards Council, it is a combination of the cardholder name, PAN, expiration date, and security code.
Understanding and Maintaining PCI DSS Compliance
The PCI security standards council is clear that it is, “paramount for every merchant, financial institution or other entity that stores, processes or transmits cardholder data.” The purpose of the standards is to protect cardholder data by providing a set of operational requirements for merchants processing credit and debit card transactions.
Another purpose of the standards is to align payment processing software companies with technical details needed for point-of-sale (POS) software and hardware.
PCI Security Standards encompass four areas:
- PCI Data Security includes technical and operational standards connected to cardholder data. This covers everything from building and maintaining a secure network and protecting stored cardholder data, to monitoring and testing networks and maintaining an information security program.
- PCI PTS Requirements translates to PCI PIN Transaction Security Requirements. This is focused on protecting cardholders’ PINs and payment processing-related activities. Manufacturers of payment processing software and terminals must follow these requirements in every step of the process, from design to implementation.
- PA-DSS Security means Payment Application Data Security Standard and applies to software vendors or any others that develop payment applications used to process, transmit or store cardholder data.
- Point-to-Point Encryption or P2P Encryption requires merchants to encrypt the transmission of cardholder data to make it unreadable to unauthorized parties. A combination of security standards and validated software are imperative to ensure P2P encryption and data security are upheld.
5 Ways to Protect Cardholder Data
Maintaining PCI compliance takes dedicated effort and resources. Below are five ways merchants can protect cardholder data.
- Only use software and hardware from trusted service providers that are approved by the PCI security standards council. Choosing a trusted payment processor is your first line of defense in protecting customer cardholder data and ensures software is compliant, encrypted, and secure.
Take Stax, which is a certified Level 1 PCI service provider. This is the highest level of PCI compliance, and it guarantees that our services comply with the council’s most rigorous requirements.
- Develop and maintain an information security program. This includes regular maintenance of firewalls, conducting regular program audits and updating and updating all technology.
- Never store cardholder data on paper, and limit the storage of payment information in general. If cardholder information must be kept, merchants are required to develop a strategy to securely store and protect this information.
- Create a culture in your organization that prioritizes its security policy. This includes regularly training employees on cybersecurity best practices. This is another important step in meeting PCI DSS requirements.
- Regularly check the physical security of payment terminals for skimming devices or rogue software. In addition to the threat of a data breach, point-of-sale systems can also be physically compromised and should be regularly assessed.
Final Words
Protecting cardholder data and maintaining PCI DSS compliance go hand in hand. A combination of policy and procedure at the merchant level and partnership with a trusted payment processing provider is key to staying in compliance and maintaining cardholder data protection. By choosing a payments platform and following guidance provided by the PCI Security Standards Council, merchants will be well-positioned to stay PCI compliant and protect their customer’s cardholder data.
Stax offers solutions that promote PCI compliance and keep transactions secure. Get in touch and learn more about how we can help you safeguard your business’ and customers’ payment data.
FAQs about Cardholder Data
Q: What is Cardholder Data?
Cardholder data, defined by the Payment Card Industry Security Standards Council (PCI SSC), refers to the full Primary Account Number (PAN), which can include the cardholder name, expiration date, and/or service code. These components are significant in making secure transactions and hence, data security is crucial.
Q: What is the role of Cardholder Data in PCI Compliance?
The essential role of cardholder data in PCI Compliance is to ensure secure payment transactions. PCI DSS sets standards that require businesses, merchant services providers, and all those handling sensitive payment information to secure cardholder data, primarily the PAN, cardholder name, and expiration date.
Q: What is the PCI Security Standards Council?
The PCI Security Standards Council (PCI SSC) is a body that sets the standards for PCI compliance. Their aim is to bolster global payment account data security by evolving standards and supporting services that aid education, awareness, and efficient implementation by stakeholders.
Q: What is the primary account number (PAN)?
The Primary Account Number (PAN) is a unique card number associated with credit and debit cards. The PAN identifies both the issuer and the cardholder of the account, playing an integral part in card transactions.
Q: What is the Cardholder Data Environment (CDE)?
The Cardholder Data Environment (CDE) refers to the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.
Q: What does PCI DSS Compliance involve?
PCI DSS Compliance is paramount for any entity that stores, processes, or transmits cardholder data. It involves a set of operational requirements for these entities, tech specifications for point-of-sale (POS) software and hardware, and comprehensive requirements addressing various areas such as PCI Data Security, PCI PTS Requirements, PA-DSS Security, and Point-to-Point Encryption.
Q: How can businesses protect Cardholder Data and ensure PCI Compliance?
Businesses can protect cardholder data and ensure PCI compliance through measures like using approved software and hardware from trusted service providers, maintaining an information security program, limiting the storage of payment information, regularly training employees on cybersecurity best practices, and regularly assessing the physical security of payment terminals.
Q: Is it necessary to store cardholder data?
While some businesses may require to store cardholder data, it’s important that they develop a strategy to securely store and protect this information. PCI DSS requirements stipulate that the full PAN should be unreadable through the removal of a PAN data segment, a process known as truncation.
Q: What is a Qualified Security Assessor (QSA)?
A Qualified Security Assessor (QSA) is an entity qualified by the PCI SSC to perform on-site assessments to validate if the merchant is in compliance with the PCI DSS.
Q: What role do payment processors play in protecting Cardholder Data?
Payment processors have a crucial role in protecting cardholder data. They ensure that transaction software is compliant, encrypted, and secure. Therefore, choosing a trusted and PCI-compliant payment processor is a key step to securing customer cardholder data and maintaining PCI DSS compliance.