NL +31 (0)20 4232420 / SP +34 937 379 542

This blog is part of a blog series on the 12 PCI DSS Requirements. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement.  

Protect Cardholder Data

Up to now, we have seen how to determine the scope of PCI DSS and how to configure the devices in it securely. The third requirement describes the best practices to protect cardholder data. In order to minimize the risks, a data analysis is required to defined which data is really necessary to store. We will explain the main challenges and steps that we must consider.


6 ways to Protect Cardholder Data


1) Document the data retention and eliminating policy. Make sure the following is clear:

  • What data is to keep
  • Why is the data stored
  • How long should the data be stored
  • Where is the data stored
  • How is the data stored
  • When should the data be deleted
  • How the data should be eliminated securely

2) Keep in mind that PCI DSS only allows storing:

  • the main account number (PAN);
  • the expiration date;
  • cardholder name; and
  • the service code

after the authorization process ended. ALL other data must be removed safely immediately after the authorisation process is finished.

3) Keep the PAN illegibly by implementing one of the below methods:

  • One-way hashes based on strong cryptography (hash must include full PAN)
  • Truncation is to permanently remove a segment of the PAN data. It is not to exceed the first and six and last four digits.
  • Strong cryptography with associated key-management processes and procedures.

4) All these data retentions and eliminate definitions depend exclusively on the needs of the business and the local legal regulations that apply into your industry or on the type of data that is retained.

5) Define a procedure to identify and securely delete stored data that has exceeded the retention period established in the data retention and deletion policy.

6) Document and implement procedures that protect encryption keys against their possible disclosure or misuse. It must detail all the algorithms, protocols, keys used and the definition of its encryption period.

Cards data are one of the most important assets of the payment industry at the same time they are the most attractive for criminals. For these reasons, developing complete and detailed documentation will allow reducing the risk in addition to complying with the PCI DSS requirement.

Read more about:
PCI DSS requirement 1: Protecting Cardholder data environment
PCI DSS requirement 2: Change your defaults
PCI DSS requirement 3: Don’t store cardholder data  
PCI DSS requirement 4: Encryption  
PCI DSS requirement 5: Update and Scan 
PCI DSS requirement 6: Develop and maintain secure systems and applications
PCI DSS requirement 7: Restrict access to CHD 
PCI DSS requirement 8: Identify, Authenticate, and Authorize  
PCI DSS requirement 9: Restrict physical access to Cardholder data