PCI
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a standard for organizations that handle card data.
Notice
It is of utmost importance that merchants and payment service providers follow these guidelines for managing card data.
What is card data?
Any data that is printed on either side of a card or embedded in the magnetic strip or chip. This includes card number (PAN), cardholder name, track2, card verification value, expiration date, service code and pin data.
What can you store?
You can not store any card data in clear text. See below for guidelins on how to protect card data for storage.
If the card data is protected you can store the following values:
- Card number (PAN)
- Cardholder name
- Expiration date
- Service code
Even if protected, you may not under any circumstances store the following values:
- The full Track2 data
- PIN
- PIN block
- Card verification value
Technical Guidelines for Protecting Stored Payment Card Data
PCI DSS requires PAN to be rendered unreadable anywhere it is stored – including portable digital media, backup media, and in logs. Solutions for this requirement may include one of the following:
- One-way hash functions based on strong cryptography – converts the entire PAN into a unique, fixed-length cryptographic value.
- Truncation – permanently removes a segment of the data (for example, retaining only the last four digits).
- Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once.
- Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”
Some cryptography solutions encrypt specific fields of information stored in a database; others encrypt a singular file or even the entire disk where data is stored. If full-disk encryption is used, logical access must be managed independently of native operating system access control mechanisms, and decryption keys must not be tied to user accounts. Encryption keys used for encryption of cardholder data must be protected against both disclosure and misuse. All key management processes and procedures for keys used for encryption of cardholder data must be fully documented and implemented.