What Is Considered Cardholder Data? The Core Components
Demystify cardholder data. Accurately identify payment information, distinguish sensitive details, and understand what is not classified as such.
Understanding “cardholder data” is paramount for consumers and businesses involved in payment card transactions. Mishandling this information can lead to significant financial fraud and identity theft. Recognizing the different categories of payment-related data helps ensure sensitive details are protected. Businesses accepting card payments bear a responsibility to safeguard this information to protect their customers and maintain trust in the payment system.
Core Elements of Cardholder Data
Cardholder data refers to sensitive information directly associated with a payment card, enabling transactions. The Primary Account Number (PAN) is the unique 12- to 19-digit number on the front of a credit, debit, or prepaid card. This number serves as the central identifier for the cardholder’s account and the issuing financial institution. The PAN links the card to account information stored by the issuer.
Beyond the PAN, cardholder data includes the cardholder’s name, expiration date, and service code. The expiration date indicates when the card is no longer valid. The service code is a three or four-digit value providing details about the card’s service attributes. When these elements are present with the PAN, they define core cardholder data, necessitating robust security measures to prevent unauthorized access or misuse.
Sensitive Authentication Data
Sensitive Authentication Data (SAD) is a sensitive subset of cardholder data used to verify identity or authorize transactions. This category includes the Card Verification Value (CVV, CVC, CVV2, CVC2), the three or four-digit security code on a payment card. Personal Identification Numbers (PINs) and PIN blocks are also included.
SAD also includes full magnetic stripe data or its EMV chip equivalent. This data contains information necessary for processing transactions. Unlike other cardholder data, Sensitive Authentication Data must not be stored by merchants or service providers after a transaction has been authorized. This rule is in place because if SAD were compromised alongside the PAN, it would significantly increase the risk of fraudulent transactions and counterfeit card creation. Even if encrypted, storing SAD after authorization is prohibited, as its retention could allow attackers to bypass security controls and facilitate fraud.
Information Not Classified as Cardholder Data
While many pieces of information are part of a payment transaction, not everything falls under the strict definition of cardholder data. Details that do not directly identify the card or cardholder in a way that enables fraudulent transactions are generally not classified as cardholder data. For instance, the transaction amount, the merchant’s name, and the date and time of the transaction are important for record-keeping but do not pose the same security risks as direct card details.
These types of transactional details, while often linked to a payment, do not allow for the initiation of new fraudulent transactions if compromised on their own. They serve operational and reporting purposes rather than directly facilitating the use of a payment instrument. Therefore, organizations handle this information with appropriate data privacy measures, but typically not under the same stringent security controls required for core cardholder data or sensitive authentication data.