72

We have a merchant website that uses Autorize.net's CIM and AIM. Our users may have multiple credit cards so we'd want to give them opportunity to distinguish between credit cards that they use on site. Currently we think about storing cardholder name, 4 last digits of CC number and its expiration date.

What are the minimum requirements that should be held to store this sensitive data?

Edit: PCI DSS says:

The primary account number is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply.

So cardholder name and expiration date can be stored without being compliant. But what about 4 last digits of PAN?

smottt
  • 103
  • 3
Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73
  • 2
    Even though it has nothing to do with your question, you should keep in mind that all your data security is worth nothing without a fitting customer policy. Great example of what can happen if you don't do at http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ – omni Sep 11 '12 at 15:28
  • @masi Wired has broken their links, here's the fixed version https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ – Ian Kemp Mar 07 '18 at 06:38

2 Answers2

66

Cardholder name, 4 last digits of CC number and its expiration date are all NOT sensitive data. The cardholder name and expiration date only require protection if you are storing them with the full primary account number, not the truncated 4 digit number.

If you are storing, processing, or transmitting cardholder data then you must meet all of the other PCI DSS requirements that kaushal mentions, but for the items you listed, you don't need to do anything special to protect them.

See pages 7 and 8 of the PCI DSS for more information on this: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

freb
  • 1,401
  • 8
  • 14
  • 17
    The PCI-DSS only requires you to protect the PAN if you are storing MORE THAN the first six and last four digits. E.g. 4111 11** **** 1234 can be stored without being considered sensitive data. – eficker Sep 07 '12 at 19:39
  • 1
    I see that cardholder name and expiration date can be stored without PCI DSS being applied. But from where do you cite information about 4 last digits? – Andrei Botalov Sep 07 '12 at 19:56
  • 1
    All it says is that PAN should be masked when being shown to user ( req. 3.3). But even if last 4 digits are stored, then it seems that PCI DSS applies (p. 7) – Andrei Botalov Sep 07 '12 at 20:02
  • 4
    @AndreyBotalov The PAN is only considered sensitive when it is stored/transmitted in its entirety. If it is masked or redacted following 3.3 then it is no longer sensitive, and the DSS does not apply. See this additional PCI Council document, second page under "Truncation": https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf – eficker Sep 07 '12 at 21:22
  • 2
    @AndreyBotalov Req 3.3 governs how much of a PAN you can display if you are storing the whole thing. You can freely display the portions that aren't sensitive (first six, last four) just as you can store the parts that aren't sensitive without being required to meet the DSS requirements. – freb Sep 07 '12 at 21:27
  • 1
    @eficker yes, from this document "PCI DSS requires PAN to be rendered unreadable" and them that it can be done using truncation. But PCI DSS applies even if store last 4 digits – Andrei Botalov Sep 07 '12 at 22:23
  • @AndreyBotalov, PCI only applies if you are the one doing the truncation, i.e. you receive full numbers and then discard a portion of them. PCI Applies if you store/process/transmit, so it is applicable because you are transmitting, not because you are storing the last 4. The last 4 is not cardholder data. – freb Jun 24 '14 at 15:43
  • 1
    The updated version (v3.1 - May 2015) of the referenced document is here https://www.pcisecuritystandards.org/documents/PA-DSS_v3-1.pdf and the relevant pages are 6 and 7. – tbeseda Aug 18 '15 at 21:47
13

Certain payment products transfer the burden of PCI compliance to the payment services provider (Authorize.NET or Paypal Pro). However, they require that a consumer be forwarded to the payment provider's servers to complete their order. If your website integrates with Authorize.NET via an API then you are still liable for PCI compliance since your servers capture and transmit the credit card data first.

It is important for you to pay heed to requirement 3 of PCI-DSS guide, which is Protect Cardholder Data.

According to PCI-DSS https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf,

Unless you are an issuer or company that supports issuing services, Section 3.2 clearly explain that you cannot store sensitive data, even if encrypted.

However, if you are retaining sensitive data for normal course of business then you must have a defined data retention and disposal policy in place as explained in Section 3.1.

And you also must mask sensitive data when displayed according to Section 3.3

And you must render the stored sensitive data unreadable as explained in section 3.4

Edit:

By requirements 3.2 and sub requirement 3.2.1 mentioned in PCI-DSS document, I would like to iterate that Sensitive data in storage/ transmission includes 1) Card Number 2) Card Holder name 3) Expiry Date 4) Service Code

Page 7 & 8 says, PAN defines the applicability of PCI-DSS.

IMO, Absence of FULL pan dissolves any PCI-DSS applicability. I agree with the answer above.

Hence, in this case PCI-DSS will not apply if you store any piece of this data along with first 6 and/or last 4 digits of the credit card number.

kaushal
  • 177
  • 5
  • Are you liable for PCI compliance because of a contract you sign to use Authorize.NET? AFAIK, PCI compliance only matters if you are contractually obligated since it isn't a law. – Bradley Kreider Sep 07 '12 at 18:33
  • 4
    @kaushal - I believe the OP was referring to storing only the last four digits of the primary account number (credit card number). The rules for transmitting still apply if the card is inputted into his specific site as opposed to being redirected to say Authorize's or PayPal's site. There are sections of the DSS that are specific to storage and sections specific to transmission, so it does matter. – eficker Sep 07 '12 at 19:42
  • 5
    @rox0r - Completely wrong. You are subject to the PCI-DSS if you process, store or transmit cardholder data. Just because you are not being hounded to comply, you still are processing cards and by default are liable. You have a merchant number and will be help accountable in the event of a breach if you are not compliant. On another note, in order to get your merchant number I will GUARANTEE you that you will have to sign a contract that includes a provision for becoming and staying compliant. – eficker Sep 07 '12 at 19:45
  • 1
    A little overuse of the bold feature, I think. By the way, PCI-DSS is not a legal construct / law, it is a commonly instituted contract. While you may possess liability in a civil sense for losing card numbers, it's not nearly the same as having a merchant number where you've agreed to the processor's contract as part of the process. – Jeff Ferland Sep 07 '12 at 19:45
  • 1
    @eficker: How exactly am i wrong? PCI-DSS compliance is only enforced via contract law. If you "process, store or transmit cardholder data," but haven't signed any contract you aren't liable under PCI compliance. – Bradley Kreider Sep 07 '12 at 21:24
  • 3
    @rox0r In what business are you going process/store/transmit legitimate cardholder data without a contract or a merchant account? No, you will not be prosecuted by state or federal gov'ts, but if you are the source of a data breach, you will be held liable and sued by any that suffer a loss as a result. – eficker Sep 07 '12 at 21:35
  • @eficker "you will be held liable and sued by any that suffer a loss as a result." That's a lot different than being slapped with PCI compliance penalties. I have no idea how you get cardholder data, which is the whole reason i asked about when you come under PCI rules (your answer was that you are automatically subject to PCI rules the second you process or store cardholder information). – Bradley Kreider Sep 07 '12 at 22:23
  • Read p.7 of https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf. Expiration date and cardholder name aren't sensitive data – Andrei Botalov Sep 08 '12 at 09:00
  • 1
    @AndreyBotalov: Expiration date and cardholdername are sensitive data if stored/ transmitted along with a Full PAN. – kaushal Sep 08 '12 at 09:08
  • Yes, my question doesn't tell that I want to store the full PAN so I don't know why have you included it into your answer and comments – Andrei Botalov Sep 08 '12 at 09:09
  • "PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply" – Andrei Botalov Sep 08 '12 at 09:09
  • @AndreyBotalov Just edited my answer to reflect my improved knowledge. Changing it fully will contort the discussion. – kaushal Sep 08 '12 at 09:14
  • "Absence of FULL pan dissolves any PCI-DSS applicability. I agree with the answer above.". From where do you cite that? – Andrei Botalov Sep 08 '12 at 09:14
  • "The primary account number is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply." IMO, If the defining factor that is PAN is not-sensitive, then PCI-DSS requirement do not apply. FULL PAN includes more than first 6 and last 4 digits of credit card number. – kaushal Sep 08 '12 at 09:19
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/4762/discussion-between-kaushal-and-andrey-botalov) – kaushal Sep 08 '12 at 10:58