What is Cardholder Data?

Written by Schellman | Jul 17, 2024 4:08:37 PM

Hi, I'm Matt Crane. I'm a leader in the Payment Security Practice, and today we're going to tackle what exactly cardholder data is because the PCI Council has introduced a new term in PCI DSS v4.0. But first, let's talk about PCI DSS v3.2.1, because--similar to the dinosaurs on my shirt in this video--some of the terminology in v3.2.1 is now extinct, as this version was officially retired on March 31, 2024.

Cardholder Data vs. Sensitive Authentication Data

That includes how the Council previously defined the broad concept of cardholder data under PCI DSS v4. The term "cardholder data" is still in use, but they're now lumping it under a larger term called "account data," of which there are two total subcategories:

Cardholder Data

Sensitive Authentication Data (SAD)

Primary account number (PAN) service code*

Expiration date (sometimes referred to as expiry)

Cardholder name

* Only the primary account number needs to be encrypted--for the rest of your cardholder data, you must just meet the standard data protection rules in Requirement 3.

3 types of SAD:

Full track data (or track data): Typically only found in card present transactions. And that's track being information on the magnetic strip or track equivalent data in the chip.

PIN (or PIN blocks): PINs for debit cards
(NOTE: For international organizations, the PIN can also be used for chip and PIN for credit card transactions.

Card Verification Codes: The 3- or 4-digit number on the front or back of the card (typically only used for card-not-present transactions over the Internet).

We hope that helps you gain a basic understanding of the new distinctions of account data--including what still counts as cardholder data and what's now SAD. But if you have any other questions, feel free to reach out to us so we can set up some time to go over any other concerns you may have.

View full post