FAQ #1222 Diff
Does cardholder name, expiration date, etc. need to be rendered unreadable if stored in conjunction with the PAN (Primary Account Number)?
Earlier Version
Later Version
Removed
Added
For PCI DSS requirement 3.4information about protecting different elements of cardholder data (CHD), please refer to the tables provided in the ?PCI DSS Applicability Information? section in the PCI DSS. The tables illustrates that, if cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with applicable PCI DSS requirements.
This means that all applicable PCI DSS requirements, such as firewalls, patches, anti-virus, access controls, policies and procedures, etc., must be applied for protection ofspecific cardholder data (CHD)those cardholder data elements. However, only the PAN itself must be rendered unreadable in accordance with Requirement 3.4.
If these other elementsplease referof cardholder data (that is, cardholder name, expiry date and/or service code) are present without any PAN, then PCI DSS would not apply to the table included on page 7 of the PCI DSS. The table illustrates that, if the cardholder name, expiration date, or service code is recorded in conjunction with the PAN, these additional cardholder data elements are required to be ?protected?. This means that all applicable PCI DSS requirements must be adhered to for protection of those cardholder data elements stored in conjunction with the PAN, such as firewall, patches, anti-virus, access controls, policies and procedures, etc., but only the PAN must be rendered unreadable. Please note that if these other elements of cardholder data (that is, cardholder name, expiry date and/or service code) are present without any PAN, then PCI DSS would not apply to those elements.
This means that all applicable PCI DSS requirements, such as firewalls, patches, anti-virus, access controls, policies and procedures, etc., must be applied for protection of
If these other elements
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.