FAQ #1222 Diff
Does cardholder name, expiration date, etc. need to be rendered unreadable if stored in conjunction with the PAN (Primary Account Number)?
Earlier Version
Later Version
Removed
Added
For PCI DSS requirement 3.4 and protection of specific cardholder data elements,(CHD) elements please refer to the table included on page 7 of the PCI DSS. The table illustrates that, if the cardholder name, expiration date, or service code is recorded in theconjunction with the PAN, these additional cardholder data elements are required to be ?protected?. This means that all applicable PCI DSS on page 2 (www.pcisecuritystandards.org). The table illustrates that,requirements must be adhered to for protection of those cardholder data elements stored in conjunction with the PAN, such as firewall, patches, anti-virus, access controls, policies and procedures, etc., but only the PAN must be rendered unreadable. Please note that if thethese other elements of cardholder data (that is, cardholder name, expiration date, or other cardholder data is recorded in conjunction with theexpiry date and/or service code) are present without any PAN, even if the PAN is rendered unreadable, these additional cardholder data elements are still required to be ?protected?. This means that all other requirements in thethen PCI DSS must be adhered to for protection ofwould not apply to those cardholder data elements stored in conjunction with the PAN, such as firewall, patches, anti-virus, access controls, policies and procedures, etc., but only the PAN must be rendered unreadable. Please note that if the PAN is not stored, processed, or transmitted, even if other non-sensitive cardholder data is stored, PCI DSS does not apply.elements.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.