Under PCI DSS, sensitive data falls into two main categories:
Cardholder Data (CHD)
- Primary Account Number (PAN) - the payment card number
- Cardholder name - as it appears on the card
- Expiration date
Sensitive Authentication Data (SAD)
- Full track data - magnetic stripe or chip equivalent data
- Service code or card verification codes - CVV, CVC, CVV2, CVC2, CID values
- PINs and PIN blocks - personal identification numbers
Key Distinctions:
Cardholder Data may be stored if properly protected according to PCI DSS requirements, but must be secured through encryption, access controls, and other safeguards.
Sensitive Authentication Data must never be stored after transaction authorization is complete, regardless of encryption or other protection methods.
The PCI DSS requirements vary in scope and complexity depending on which types of sensitive data your organization handles, stores, processes, or transmits. The standard provides specific technical and operational requirements for protecting this data throughout its lifecycle.
Organizations that handle payment card data must comply with PCI DSS to protect against data breaches and maintain the security of the payment card ecosystem.