How Does PCI DSS Protect Cardholder Data?
Blog Article Published: 12/17/2020
By Branden Marrow from TokenEx
The Payment Card Industry Data Security Standard (PCI DSS) is a payment industry security regulation developed, maintained, and enforced by the Payment Card Industry Security Standards Council (PCI SSC) to protect cardholder data (CHD). The council tasks organizations that handle payments with protecting CHD such as primary account numbers (PANs), card verification values (CVVs), and more. There are six overall PCI DSS compliance goals covering 12 categories consisting of more than 300 security checks that organizations are expected to follow to comply with the regulation. For more information regarding PCI DSS compliance, be sure to check out our PCI DSS compliance ebook. To understand exactly how the PCI DSS protects cardholder data, it is helpful to know how the regulation came to be in the first place.
Who is the PCI SSC?
The PCI SSC consists of the five major card brands which include American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The PCI SSC was formed in 2006 to create an industry-wide standard for data protection regarding cardholder information. As the number of data breaches throughout the payment industry increased at an alarming rate, the PCI SSC sought to develop a single, consistent, and thorough set of rules for handling sensitive payment data. Thus, the PCI DSS was created, establishing the goals and requirements to address these concerns.
Although PCI compliance is not legally required, the PCI DSS is an incredibly influential industry regulation because it applies to any organization looking to process, store, or transmit payment information from the cards distributed by the members of the PCI SSC. If an organization does not meet these compliance obligations, it can be subject to fines and potentially no longer allowed to accept payments from cards issued by the PCI SSC members.
What Information is Protected by PCI DSS?
The PCI DSS was developed to ensure proper standards were in place to protect all customer data associated with credit, debit, or prepaid cards issued by PCI SSC members. This PCI-protected data is generally broken down into two parts.
1. Cardholder Data
PCI SSC defines cardholder data as the PAN by itself or the PAN in addition to any of the following card information.
- Cardholder name
- Expiration date
- Service code
2. Sensitive Authentication Data (SAD)
SAD is broken down into two categories:
Magnetic stripe data
Data elements on a card’s magnetic stripe use secure cryptographic processes to protect data integrity on the stripe and reveal any alteration or counterfeiting. Terms for this vary by card brand and are listed below:
- Card authentication value (CAV) is used by JCB payment cards.
- Card validation code (PAN CVC) is used by MasterCard payment cards.
- Card verification value (CVV) is used by Visa and Discover payment cards.
- Card security code (CSC) is used by American Express payment cards.
Printed security features
The three-digit value printed in the signature panel area on the back of Discover, JCB, MasterCard, and Visa payment cards, as well as the four-digit unembossed number printed above the PAN on the face of American Express payment cards, is uniquely associated with each physical card and ties the PAN to plastic. The terms for this vary by card brand and are listed below:
- Card identification number (CID) is used by American Express and Discover payment cards.
- Card authentication value 2 (CAV2) is used by JCB payment cards.
- Card validation code 2 (PAN CVC2) is used by MasterCard payment cards.
- Card verification value 2 (CVV2) is used by Visa payment cards.
How Does PCI DSS apply to me?
PCI DSS is important for more than one reason. If your organization transmits, processes, or stores any cardholder data, then the PCI DSS matters to you. Understanding your organization’s scope of compliance, as well as the pieces of your business that make up the cardholder data environment (CDE), is crucial to making sure you avoid costly fines or losing permission to conduct transactions with cards from the five PCI SSC brands. However, it is incredibly important from the consumer side as well.
Customers shouldn’t have to worry that their cardholder data isn’t secure when they provide it to an organization. Making sure your organization does its due diligence and complies with the PCI DSS is just one more way to ensure customer satisfaction and loyalty. Although customers probably won’t know if your organization is PCI DSS compliant, they will most definitely know if your organization makes headlines for having had customer data exposed in a breach.
At the end of the day, the onus is on individual organizations to protect cardholder data by meeting the requirements of the PCI DSS. The PCI DSS is simply a set of guidelines that is only as useful as an organization’s willingness to fulfill the full intent of the requirements in order to processes, store, or transmit payment information from the cards distributed by PCI SSC members. With that being said, merely aiming to meet the minimum requirements necessary for compliance won’t guarantee the protection of cardholder data. Instead, organizations should take a data-centric approach to security.
About the Author
Branden Marrow works for TokenEx, which was originally founded in 2009 to reduce PCI DSS scope. TokenEx utilizes its tokenization platform to help organizations simplify their compliance obligations by removing cardholder data from their environments.