Types of Data on a Payment Card
Account Data
Cardholder Data includes:
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
Sensitive Authentication Data includes:
- Full magnetic stripe data (or equivalent on a chip)
- CAV2/CVC2/CVV2/CID
- PINs/PIN blocks
PCI DSS applies wherever account data is stored, processed, or transmitted. Account data consists of cardholder data and/or sensitive authentication data, as follows:
- Many people refer to ALL account data simply as "Cardholder Data"
- PCI DSS requirements are applicable wherever Primary Account Number (PAN) or Sensitive Authentication Data (SAD) is stored, processed, or transmitted
- PCI DSS requirements also apply to systems that provide security services or could impact the security of account data
- Account data includes all of the information printed on the physical card as well as the data on the magnetic stripe or chip
- Sensitive Authentication Data cannot be stored after authorization
- Encrypting cardholder data or sensitive authentication data does NOT necessarily remove it from scope
Merchants are not permitted to store the track equivalent data following authorization
