Cardholder Data in Payment Processing

Aside from getting paid, security is arguably the most important part of credit card processing. Each time your business handles a consumer credit card, the customer trusts you to protect their sensitive financial information—including their cardholder data. 

There are lots of misconceptions amongst merchants about what cardholder data includes and how they need to protect it. That’s why we created this guide.

Below you’ll find everything you need to know about cardholder data and how it applies to credit card processing.

What is Cardholder Data?

Cardholder data includes any personally identifiable information associated with the card owner. As defined by the PCI SSC (PCI Standard Security Council), all of the following elements are considered to be cardholder data. 

• PAN — PAN stands for “primary account number.” Also known as the account number, this is the unique payment card number on a debit or credit card that identifies the cardholder account and card issuer.
• Cardholder Name — The name appearing on the card and the name associated with the account.
• Expiration Date — When the card is no longer valid.
• Service Code — The three or four-digit number in a magnetic stripe. The service code is used for things like usage restrictions, international vs. national interchange, and other service attributes. 
• Magnetic Stripe Data — Commonly referred to as “full track data” or just “track data,” this is encoded into the magnetic stripe or chip of the card to authorize payment transactions.
• PIN — Personal identification number. A secret numeric code known only to the cardholder for authentication purposes. PINs are typically used at ATMs and required for some EMV chip card transactions where the PIN is used in place of the cardholder’s signature. 
• Card Verification Code — Also known as a Card Validation Code or sometimes referred to as a Card Security Code. This can refer to magstripe data or printed security features associated with the card.
• Sensitive Authentication Data — All sensitive security information. This could include validation codes, chip data, magnetic stripe data, PINs, and anything else used to authorize or authenticate a card transaction. 

All of this is the minimum definition of cardholder data. Other personal identifiers associated with the cardholder could also fall into this category. Any information on the front or back of the card is always considered cardholder data.

Why Cardholder Data Matters For PCI Compliance

PCI compliance encompasses a wide range of different security guidelines. But cardholder data is a foundational element of understanding PCI compliance and how it works.

Merchants can be fined for PCI non-compliance fees and potentially lose their ability to process credit cards for serious and repeated violations. 

In addition to PCI compliance, there are other local, state, and region-specific rules that may apply to how your business needs to handle sensitive consumer data.

The GDPR (General Data Protection Regulation) in Europe is a perfect example here. Businesses subject to GDPR laws must take even greater measures to secure data beyond the card itself. This could include things like home addresses, phone numbers, and any other personal identifiers. 

How to Stay PCI Compliant While Dealing With Cardholder Data

To maintain PCI compliance and protect cardholder data, merchants must focus on four key areas of PCI security standards:

• Point-to-Point (P2P) Encryption — Businesses must encrypt the cardholder data while it’s being transmitted so third parties won’t be able to read or access the information during transit. 
• PCI Pin Transaction Security (PTS) Requirements — Cardholder PIN data must be secured and protected.
• PCI Data Security — Merchants must use a combination of technical and operational standards to keep cardholder data secure.
• Payment Application Data Security Standards (PA-DSS) — Software vendors and payment applications for processing, storing, and transmitting cardholder data must be secure. 

As long as cardholder data is not kept on file after the transaction, your business can remain PCI compliant. 

But some organizations wish to store some data to improve the customer experience, whether it be for faster checkouts or recurring charges. If you fall into this category, there are additional guidelines you must follow to achieve payment compliance. 

You can keep the data in a computer system or software that’s PCI compliant. Or you can use a third-party service to store the data on their servers, only keeping a token on file for your business. Tokenization has become increasingly popular for protecting sensitive data because the tokens themselves do not contain any cardholder data. Therefore, tokens are not subject to the same rules for PCI compliance. 

How Businesses Can Protect Cardholder Data

Beyond PCI compliance and following card-specific regulations, there are several practical steps your business can take to protect cardholder data. These are my top recommendations:

• Make sure you’re only using software and hardware from trustworthy and reliable vendors.
• Create and maintain an internal IT security system (including firewall maintenance, technology upgrades, audits, etc.).
• Never keep cardholder data stored on handwritten or printed pieces of paper.
• Ensure your entire organization understands the importance of protecting cardholder data, and train your employees on how to safely process cardholder data while maintaining PCI compliance.
• Perform regular audits of your payment systems and terminals to ensure they haven’t been tampered with or physically compromised.

Overall, your payment processor and payment technology providers will be the first line of defense in helping your business protect cardholder data and remain PCI compliance. So make sure they’re setting you up for success.

Common Misconceptions About Cardholder Data

Lots of merchants don’t quite understand what cardholder data is and what they’re supposed to do with it. 

The biggest misconception is that cardholder data only refers to the account number and verification code. But as you can see from what we’ve covered, there are lots of other components that constitute cardholder data, at a minimum. 

Another common misconception about cardholder data is the way it needs to be stored. Merchants are under the assumption that the data must be encrypted for storage purposes. But this is only partially true.

Only the primary account number needs to be encrypted. No other sensitive authentication data can be stored. 

Final Thoughts on Protecting Cardholder Data in Credit Card Processing

It’s the duty and responsibility of a merchant to protect their customers. Businesses of all shapes and sizes across every industry are subject to breaches. From hackers to employees with malicious intent, failure to properly secure cardholder data can lead to big problems for your business. 

At the end of the day, safeguarding cardholder data is necessary to protect your business. Between fines, penalties, losing customers, or damage to your reputation, there are lots of things that can go wrong here.

Don’t have the “it won’t happen to me” mentality, and make sure you’re doing everything in your power to remain compliant and secure cardholder data.