Can I store following holder data according the PCI DSS v3:
If no, which way I can follow to store them?
P.S. I've found this answer, but it's related to v2.
Update: Also, I found this article with the following comment: "...Truncation – removing a data segment, such as showing only the last four digits...", but I'm not sure that it's actual information related to the v3.
Can I store following holder data according the PCI DSS v3:
In short: Yes, you may store all of that data, without encryption, under the DSS, as long as you're not storing the PAN (the credit card number).
However, some of that information falls under the PII regulations of various states, and your failure to protect it would be subject to various fines. So just because the DSS doesn't care doesn't mean you shouldn't.
In detail:
The DSS 3.2 states (emphasis mine):
PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD)
CHD and SAD are defined as follows (also in DSS 3.2):
While cardholder name and expiration date are listed under CHD, the following caveat states that they are only considered CHD in conjunction with the PAN (emphasis original to the DSS):
The primary account number is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements.
By implication, if the PAN is not present, then the other listed data fields do not need to be protected as per DSS requirements.
Finally, while these quotes are from the DSS 3.2, they're largely unchanged from 3.0/3.1 and 2.x (to the best of my recollection; I haven't doublechecked).
