When you receive card data from your clients, you must follow certain rules. Some data you are not allowed to retain and you must destroy it after use. This is very important to know
The PCI standard
The PCI-DSS standard defines which data you may keep and which must be destroyed. The table below gives you an overview.
| |
Data |
Storage allowed |
Protection required | PCI-DSS 3.4 requirement |
|---|---|---|---|---|
| Cardholder data |
Card number (PAN) |
YES | YES |
JA |
| Cardholder name* |
YES |
YES* |
NO | |
| Service code* |
YES |
YES* |
NO | |
| Expiry date* | YES |
YES* |
NO | |
| Sensitive authentication data** | Complete Magnetic strip | NO | N/A |
N/A |
| CVC2/CVV2/CID |
NO | N/A | N/A | |
| PIN/PIN Block |
NO | N/A | N/A |
* This data must be protected if it is to be stored together with the card number. This protection must be in conformity with the PCI-DSS requirements and account taken of the law regarding protection of the privacy of the cardholder (more specifically, the protection of the personal data of
consumers, privacy, identity theft or data protection).
The PCI-DSS requirements do not apply when card data is not stored, processed or shared.
** Sensitive authentication data/personal identification data may not be stored in any circumstances , even if it is encrypted.
An overview of the PCI-DSS requirements
1. Building and maintaining a protected network
- Installing and maintaining a firewall' structure to protect data.
- Do not use manufacturer's standard values for passwords and other protection parameters. Immediately create your own password.
2. Protection of the cardholder data
Do you send cardholder data and sensitive information over public networks? If so, ensure that this data is encrypted.
3. Recognise and control the vulnerability of your system with a Vulnerability Management Program
- Use anti-virus software and keep it up to date.
- Develop and maintain protection systems and applications.
4. Take measures for strict access control
- Limit access to data that is important to you.
- Establish a unique identity for every person who has access to your systems.
- Limit physical access to cardholder data.
5. Regularly control and test the network
- Control every access to network components and cardholder data.
- Regularly test the protection systems and processes.
6. Establish an explicit security policy
Set up an active information protection policy.
