Cardholder Data
What is Cardholder Data?
Cardholder data is any information which is associated with a payment card. This consists of the following:
- Primary Account Number (PAN): The 16-digit number printed on the front of the payment card. It uniquely identifies the cardholder’s account.
- Cardholder Name: The name of the person who owns the payment card. It is typically printed on the front of the card.
- Expiration Date: The month and year when the payment card becomes invalid. It is also printed on the front of the card.
- Service Code: The 3 or 4-digit value encoded into the magnetic stripe on the back of the card.
Additionally, it’s worth noting that PCI DSS 4 also covers Sensitive Authentication Data (SAD). These pieces of data are used for authentication purposes. However, unlike Cardholder data, Sensitive Authentication data can be processed but cannot be stored. This includes:
- Full track data from the magnetic stripe or equivalent on a chip.
- Card Verification Value (e.g. CAV2/CVC2/CVV2/CID) codes: This is the 3-digit number on the back of the card.
- PIN numbers or PIN blocks.
PCI DSS compliance requires organizations to implement security measures to protect cardholder data from unauthorized access, use, or disclosure. This includes encryption, secure storage, access controls, and regular monitoring to ensure the security of cardholder data.
See the following diagram for a summary.
Cardholder data examples