Does cardholder name, expiration date, etc. need to be rendered unreadable if stored in conjunction with the PAN (Primary Account Number)?
For PCI DSS requirement 3.4 and protection of specific cardholder data elements the table on page 2 illustrates that, if the cardholder name, expiration date, or other cardholder data is recorded in conjunction with the PAN, even if the PAN is rendered unreadable, these additional cardholder data elements are still required to be “protected”. This means that all other requirements in the PCI DSS must be adhered to for protection of those cardholder data elements stored in conjunction with the PAN, such as firewall, patches, anti-virus, access controls, policies and procedures, etc., but only the PAN must be rendered unreadable. Please note that if the PAN is not stored, processed, or transmitted, even if other non-sensitive cardholder data is stored, PCI DSS does not apply.
Related Questions
- What other disorders that occur as separate disorders in conjunction with autism (comorbid conditions) must be taken into account in the diagnosis and assessment of autism, Asperger syndrome, Rett syndrome, and childhood disintegrative disorder?
- Do additional cardholders have the same account access as the primary cardholder?
- What is PAN or Permanent Account Number or PAN Card?
