Frequently Asked PCI DSS Questions
Service providers and merchants can store cardholder data under PCI DSS. This is subjective to the protection and usage requirements and some acquirers permit sensitive authentication data to be stored, but only prior to payment authorization.
PCI DSS cardholder data includes the cardholder name, primary account number, service code, and expiration date. PCI DSS also covers sensitive authentication data including PINS, PIN blocks, CAV, CVV, CVC, and CID numbers, and full track data, which includes chip and magnetic stripe data.
Service providers are entities that handle the storing, processing, or transmission of cardholder data. Merchants, on the other hand, accept card payments for payment of services or goods, from any of the five PCI Security Standards Council members, which include Discover, JCB International, American Express, MasterCard Worldwide, and Visa Inc.
A PCI DSS assessment/audit assesses all system components that are connected to the business’s cardholder data environment (CDE). The scope of CDE covers all personnel, technology, and processes that transmit, store, or process a customer’s cardholder information and sensitive authentication data. Examples of system components include applications, computing devices, servers, and network devices.
PIN Transaction Security covers the management of devices that are used in the protection of cardholder PINs. Merchants, processors, and financial institutions should only use components and devices that have been tested and approved by the PCI SSC.