Cardholder Data or CHD refers to the specific information associated with a payment card that is subject to the security requirements outlined by the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
Key Components of PCI Cardholder Data:
- Primary Account Number (PAN):
- The unique number assigned to a cardholder’s credit or debit card. It is the most critical piece of cardholder data and must be protected.
- Cardholder Name:
- The name of the individual to whom the card is issued. While the cardholder name alone is not considered sensitive, it must be protected when combined with the PAN.
- Expiration Date:
- The date after which the card is no longer valid. It is usually in the MM/YY format.
- Service Code:
- A three-digit or four-digit value used to specify acceptance requirements and limitations for a magnetic-stripe payment card.
Sensitive Authentication Data (Not to be Stored Post-Authorization):
- Full Magnetic Stripe Data or Chip Data:
- Contains all the information in the magnetic stripe or chip, which is used for card processing. Storing this data after authorization is strictly prohibited by PCI DSS.
- Card Verification Code or Value (CVV, CVV2, CVC2, CID):
- The three- or four-digit number printed on the card, used to verify that the cardholder is in possession of the card during a transaction. This must never be stored after authorization.
- PIN/PIN Block:
- The personal identification number entered by the cardholder during a transaction, usually associated with debit card transactions. Storing the PIN or PIN block after authorization is prohibited.
