Does PCI Apply to PAN only?

Question

I am trying to find out if a credit card application would be in-scope for PCI DSS. As part of the application process, customers can submit their credit card number (PAN) from another institution. No other data is captured from the credit card other than the customer's name of course.

Does this make it in-scope? I found this the below statement but it says AND. Thoughts?

CHD, at a minimum, is the cardholder’s name, the primary account number (PAN) and the expiration date. Any additional information from a credit card such as CVV/CVC/CID and track data is also considered CHD, but it may not be stored except during the authorization of a transaction.

Answer 1

The PAN alone is sufficient to make it in-scope. To quote PCI DSS 3.2.1 "PCI DSS Applicability Information":

The primary account number is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements.

So in your example, because the full PAN is being included, it and the cardholder name must be protected in accordance with the PCI DSS.

Answer 2

Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 3.2 April 2016 © 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved

Page 7

Cardholder Data: At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code

PAN, all by its lonesome is cardholder data. Any system, process, or person that collects, processes, transmits, or stores cardholder data, or sensitive authentication data is in-scope for a PCI DSS assessment.