FAQ #1222 Diff

Does cardholder name, expiration date, etc. need to be rendered unreadable if stored in conjunction with the PAN (Primary Account Number)?

Earlier Version
2014-05-28T00:00:00+00:00

Later Version
2025-06-11T14:57:12+00:00

Removed

Added

~~For information about protecting different~~No. Only the Primary Account Number (PAN) must be rendered unreadable when it is stored, in accordance with Requirement 3.5.1. Other elements of cardholder data, such as cardholder name, expiration date, or service code, do not need to be rendered unreadable, even if stored with the PAN.

However, if these elements are stored, processed, or transmitted with the PAN or are otherwise present in the cardholder data ~~(CHD), please~~environment (CDE), they must be protected in accordance with the PCI DSS requirements applicable to cardholder data.— such as network security controls, access controls, vulnerability management, and other security measures.

Please refer to the ~~tables provided in the ?PCI~~“PCI DSS Applicability ~~Information?~~Information” section ~~in the~~of PCI DSS. The tables illustrates that, if cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with applicable PCI DSS requirements.

This means that all applicable PCI DSS requirements, such as firewalls, patches, anti-virus, access controls, policies and procedures, etc., must be appliedv4.0.1 for protection of those cardholder data elements. However, only the PAN itself must be rendered unreadable in accordance with Requirement 3.4.

If these other elements of cardholder data (that is, cardholder name, expiry date and/or service code) are present without any PAN, then PCI DSS would not apply to those elements.more details.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.