Storage Permitted | Storage Permitted | Render Stored Data Unreadable per Requirement 3.4 | |
---|---|---|---|
Cardholder Data | Primary Account Number (PAN) | Yes | Yes |
Cardholder Name | Yes | No | |
Service Code | Yes | No | |
Expiration Date | Yes | No | |
Sensitive Authentication Data | Full Track Data | No | Cannot store per Requirement 3.2 |
CAV2/CVC2/CVV2/CID | No | Cannot store per Requirement 3.2 | |
PIN/PIN Block | No | Cannot store per Requirement 3.2 |
PCI DSS Requirements 3.3 and 3.4 apply only to PAN. If PAN is stored with other elements of cardholder data, only the PAN must be rendered unreadable according to PCI DSS Requirement 3.4.
Sensitive authentication data must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment. Organizations should contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorization, for how long, and any related usage and protection requirements
Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS requirement. However, it is strongly recommended as a method that may reduce: