Yes,For PCI DSS, account data consists of cardholder data (CHD) and sensitive authentication data (SAD). With respect to SAD, PCI DSS applies wherever cardholder data (CHD) and/or sensitive authentication data (SAD) is stored, processed or transmitted, irrespective of whether it is pre-authorization or post-authorization. ThereRequirement 3.3.1 prohibits storage of SAD after authorization, even if encrypted. Note that there are no specific rules in PCI DSS regarding how long CHD or SAD can be stored prior tobefore authorization, but such data would need to be protected according to PCI DSS. Use of PTS-validated paymentPCI approved PTS devices and PA-DSS validated payment applicationsPCI-validated payment software can support PCI DSS compliance for the protection of data prior to authorization.
With respect to SAD, PCI DSS Requirement 3.2 prohibitsThe individual payment brands determine whether SAD is permitted to be stored before authorization, including any related usage and protection requirements. Additionally, several payment brands have specific rules that prohibit any storage of SAD AFTER authorization, even if encrypted. Whether SAD is permitted toand do not make any exceptions. To determine payment brand requirements, please contact the individual payment brands directly. Contact information for the payment brands can be stored prior to authorization is determined byfound in FAQ 1142 How do I contact the individual payment brands, including any related usage and protection requirements. Additionally, several payment brands have very specific rules that prohibit any storage of SAD and do not make any exceptions. To determine payment brand requirements, please contact the individual payment brands directly. Contact information for the payment brands can be found in FAQ 1142.payment card brands?
