Credit Card Data Protection Requirements

The Payment Card Industry has established a series of technical and operational requirements for protecting cardholder data. These security standards are mandatory for all entities that store, process or transmit cardholder data. More specifically, merchants, payment processors and third-party service providers are required to be in compliance with the most current Payment Card Industry PIN Transmission Security program (PCI PTS) and Payment Card Industry Data Security Standard (PCI DSS).

Additionally, processors, service providers and merchants are required to comply with all of the following requirements:

• A terminal or any other device at the point-of-sale (POS) does not display, replicate, or store any card-read data except card account number, expiration date, service code, or cardholder name. Remember that merchants should never store the card security codes (CVV2, CVC 2 and CID) and account numbers should be truncated to only display the last four digits, replacing all preceding digits with fill characters, such as “x,” “*,” and “#.” The table below lists the information that can and cannot be stored:
  
  

  Data Type	Data Element	Storage Permitted	Protection Required
  Cardholder data	Primary account number (PAN)	Yes	Yes
  	Cardholder name*	Yes	Yes
  	Service code*	Yes	Yes
  	Expiration date*	Yes	Yes
  Sensitive authentication data**	Full magnetic stripe	No	n / a
  	Card Verification Code	No	n / a
  	PIN / PIN block	No	n / a

  
  * These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of these data or proper disclosure of a company’s practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.
  **Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).

• Any media containing cardholder and account information, including account numbers, personal identification numbers (PINs), credit limits, and account balances needs to be rendered unreadable, before discarding.
• Access to account data stored in computers and terminals is limited and controlled by data protection procedures, such as a password system for Computer Remote Terminal (CRT) access and control over dial-up lines.

Processing banks, merchants and third-party service providers that use wireless LAN technology to connect networks or servers that process or store bank card transaction or account data are required to comply with all of the following requirements:

• Implement Wi-Fi protected access (WPA) technology for data encryption and authentication when the wireless LAN technology is WPA-capable. Use of a Virtual Private Network (VPN) is also recommended.
• When the wireless LAN is not WPA-capable, a VPN must be implemented.
• Wireless Equivalent Privacy (WEP) must not be the sole method used to protect confidentiality and access to a wireless LAN. Moreover:
  • Since March 2009, it is prohibited to use WEP for new wireless LAN technology implementations.
  • Since June 2010, it is prohibited to use WEP for existing wireless LAN technology.

For more information on the PCI DSS requirements, you can refer to our PCI Data Security Standard Compliance post from a few months back.

Image credit: Pieniadzpl.blip.pl.