Skip to content

What data is protected by PCI DSS?

Explore some of our latest AI related thought leadership and research

6clicks has been built for cybersecurity, risk and compliance professionals.

Learn more about our Hub & Spoke architecture, Hailey AI engine and explore the other content in our platform here

Developing responsible AI management systems through the ISO/IEC 42001 standard

Using artificial intelligence has propelled global economic growth and enriched different aspects of our lives. However, its ever-evolving nature and...

Incorporating Generative AI into Cybersecurity: Opportunities, Risks, and Future Outlook

Key Takeaways Generative AI is a branch of artificial intelligence that focuses on creating new content with human-like creativity. The rise of...

Understanding RAG: Retrieval-Augmented Generation Explained

Natural Language Processing (NLP) has come a long way in the past few decades. With the goal of enabling more efficient communication between humans...

Responsible AI is here to stay

Artificial Intelligence (AI) and Machine Learning (ML) continue to be a much talked about topic since the release of ChatGPT last year but also well...

Responsible AI in risk management: Diving into NIST’s AI Risk Management Framework

Artificial intelligence has since changed the way we use technology and interact with organizations and systems. AI solutions such as automation and...

The Imperative of Governance to Achieving Responsible AI

AI brings many opportunities to businesses and we can see the AI boom across different industry verticals. However, it also questions who would be...


What is PCI DSS?

PCI DSS, which stands for Payment Card Industry Data Security Standard, is a set of security standards that organizations must implement to protect credit card and other payment card data. PCI DSS was developed by the major card brands, including Visa, Mastercard, American Express, and Discover, to ensure that businesses that process, store, or transmit cardholder data maintain a secure environment. The standard outlines requirements for security policies, access to cardholder data, secure network infrastructure, and other measures to protect sensitive information. PCI DSS applies to all organizations that handle payment card transactions, including merchants, service providers, and financial institutions. Compliance with PCI DSS is essential for businesses to maintain the trust of their customers and avoid costly data breaches.

What data is protected by PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to protect sensitive cardholder data during credit card transactions. It encompasses various types of data that need to be safeguarded.

The primary account number (PAN) is the key piece of information protected by PCI DSS. This is the unique number embossed or encoded on the credit or debit card. Additionally, the cardholder name, expiration date, and service code (used for specific authorization purposes) are also considered sensitive cardholder data that need to be protected.

PCI DSS requires businesses to implement strong access control measures to ensure that only authorized personnel can access and handle this data. This includes restricting access on a need-to-know basis and implementing multi-factor authentication.

To safeguard such data, PCI DSS also mandates secure systems and network settings, the use of strong cryptography and encryption to protect data during transmission, and regular vulnerability management programs.

By complying with PCI DSS, businesses can ensure the protection of cardholder data and minimize the risk of credit card fraud and data breaches, providing a secure environment for payment card transactions.

Types of cardholder data protected by PCI DSS

PCI DSS protects various types of cardholder data to ensure the security of credit and debit card transactions. One of the key pieces of information that are safeguarded is the primary account number (PAN), which is the unique number on the card. Alongside the PAN, the cardholder name, expiration date, and service code (used for authorization purposes) are deemed sensitive cardholder data. These data points are the focus of PCI DSS regulations and businesses must implement strong access control measures to limit access to authorized personnel. This involves employing multi-factor authentication and restricting access on a need-to-know basis. Furthermore, PCI DSS mandates the use of secure systems and network configurations, as well as strong cryptography and encryption methods to protect data during transmission. Regular vulnerability management programs are also required to identify and address any potential security weaknesses. By addressing these important aspects of cardholder data protection, PCI DSS ensures the integrity and confidentiality of payment card transactions.

Primary account number (PAN)

The primary account number (PAN) is a key piece of information in card transactions and plays a critical role in the payment card industry. It is a series of numbers that uniquely identifies a payment card, such as a credit or debit card. The PAN is printed or encoded on the card's magnetic stripe or chip, and it is used to initiate and authorize transactions.

PCI DSS, or Payment Card Industry Data Security Standard, sets guidelines for securing cardholder data, including the PAN. While it allows for the storage of cardholder data, including the PAN, it also emphasizes the need to minimize storage and implement disposal and data retention policies.

Minimizing storage means that businesses should only retain cardholder data that is necessary for their operations. By doing so, they reduce the risk exposure and potential impact of a data breach. It also helps them comply with PCI DSS requirements.

Implementing disposal and data retention policies ensures that businesses securely dispose of any unnecessary cardholder data after a specified period. This helps protect against unauthorized access or misuse of sensitive information.

Cardholder name

The cardholder name plays a crucial role in PCI DSS compliance as it is one of the components of cardholder data that needs to be protected. In addition to the primary account number (PAN), expiration date, and service code, the cardholder name is considered as sensitive information that should be safeguarded.

When a credit or debit card is used for a transaction, the cardholder name is usually required. It is an essential piece of information that is part of the cardholder data environment (CDE). The CDE encompasses any systems, networks, and processes involved in the processing, transmission, or storage of cardholder data. Therefore, the cardholder name, along with other components, is subject to the security requirements outlined by PCI DSS.

Protecting the cardholder name is vital to ensure secure transactions and prevent any unauthorized access or misuse of sensitive information. By implementing strong access control measures, encryption protocols, and vulnerability management programs, businesses can maintain the confidentiality and integrity of the cardholder name. This not only helps organizations meet the compliance requirements of PCI DSS but also instills trust and confidence in customers, as their personal data is handled with utmost care.

Expiration date

The expiration date of a credit or debit card is a crucial piece of information that needs to be protected as part of cardholder data. It plays a significant role in ensuring the security and integrity of transactions and must be handled securely in compliance with PCI DSS requirements.

Expiration dates are considered sensitive information because they provide an indication of the card's validity and can be used in fraudulent activities if accessed by unauthorized individuals. Storing and transmitting expiration dates without proper security measures in place can expose businesses and their customers to various risks.

One potential risk associated with storing expiration dates is the possibility of data breaches or unauthorized access. If a hacker gains access to a database containing expiration dates, they can exploit this information to carry out fraudulent transactions or engage in identity theft.

Another risk is the interception of expiration dates during transmission. If the data is transmitted over unsecured networks or systems, it becomes vulnerable to interception by cybercriminals who can misuse it for malicious purposes.

To mitigate these risks, businesses utilize technology and security measures such as encryption, tokenization, and secure transmission protocols. Encryption involves converting expiration dates into a coded format that can only be deciphered with the appropriate decryption key, making it unreadable to unauthorized parties. Tokenization involves substituting the expiration date with a unique identifier or token, ensuring that the actual data is not directly stored or transmitted. Secure transmission protocols like SSL/TLS encrypt the data during transmission, protecting it from interception.

By implementing these technology and security measures, businesses can ensure the protection of expiration dates and maintain the security and trust of cardholder data. Compliance with PCI DSS requirements is crucial to establish a strong and secure environment for handling sensitive information.

Service code

In the context of PCI DSS compliance, the service code refers to the three-digit code found on the magnetic stripe of a payment card. This code contains information about the specific services and features associated with the card, such as the card's acceptance capabilities and the conditions under which it can be used.

The service code is considered a part of the cardholder data and is therefore subject to the protection requirements outlined by PCI DSS. Compliance with PCI DSS is crucial for organizations that handle payment card data, as it ensures the secure processing, storage, and transmission of this sensitive information.

The service code plays a significant role in the protection of cardholder data because it provides essential details about the card's capabilities, restrictions, and validation requirements. Safeguarding the service code helps prevent unauthorized individuals or entities from exploiting this information for fraudulent activities.

To adhere to PCI DSS compliance requirements and secure the service code, organizations must implement strong access control measures, maintain secure systems, and employ encryption techniques to protect sensitive cardholder data. Additionally, regular vulnerability management programs and rigorous security assessments are necessary to identify and address any potential vulnerabilities that could compromise the service code and other cardholder data.

By prioritizing the protection of the service code, businesses can enhance the overall security of payment card transactions and maintain compliance with PCI DSS standards.

Magnetic stripe data and chip data

PCI DSS provides rigorous security standards to protect both magnetic stripe data and chip data. These data elements are crucial as they contain sensitive information that, if compromised, can lead to fraudulent activities and breaches of cardholder privacy.

Magnetic stripe data includes the account number, expiration date, and service code. This data is stored on the magnetic stripe on the back of payment cards. Chip data, on the other hand, is stored on the embedded microchip within the card and includes the cardholder's name, account number, expiration date, and additional security features.

To safeguard this protected data, PCI DSS requires strict security measures. Organizations must adhere to strong access control measures and ensure that only authorized individuals have access to the data. Secure systems and networks must be maintained to prevent unauthorized access. Encryption techniques must be employed to protect the data during transmission.

Regular vulnerability management programs and assessments are necessary to identify and address any potential vulnerabilities that could compromise magnetic stripe data and chip data. It is crucial for organizations to implement these security measures to maintain trust with cardholders and to prevent credit card fraud and data breaches.

Security code/PINs and PIN blocks

The Payment Card Industry Data Security Standard (PCI DSS) places great importance on the protection of sensitive cardholder data, including security codes, PINs, and PIN blocks.

The security code, also known as the card verification value (CVV) or card verification code (CVC), is a three or four-digit number printed on the credit or debit card. This code is used as an additional security measure for online or over-the-phone transactions. PINs, on the other hand, are personal identification numbers used for authentication during in-person transactions at ATMs or point-of-sale terminals. PIN blocks are encrypted data that includes the PIN and other related information.

These security measures play a crucial role in safeguarding cardholder data. The security code provides an extra layer of verification, ensuring that the person using the card possesses the physical card itself. Similarly, PINs and PIN blocks are used for authentication purposes, helping to prevent unauthorized access to the cardholder's funds.

However, security codes, PINs, and PIN blocks are not immune to vulnerabilities. They can be compromised through various means such as phishing attacks, hacking, or even physical theft. Once obtained, criminals can use this information to commit fraud or unauthorized transactions.

To mitigate these risks, PCI DSS requires a range of security controls and measures. Encryption is a critical requirement to protect security codes, PINs, and PIN blocks both during transmission and when stored in databases or systems. Strong key management practices, such as regularly changing encryption keys, are essential to prevent unauthorized decryption of the data. Additionally, organizations should implement strict access controls and regularly train employees to identify and report suspicious activity.

By diligently following these PCI DSS security controls and measures, businesses can effectively protect security codes, PINs, and PIN blocks, ultimately reducing the risk of credit card fraud and ensuring the security of payment card transactions.

Technology used to protect cardholder data

Technology plays a crucial role in protecting cardholder data in the payment card industry. With the increasing risk of data breaches and credit card fraud, organizations need to employ strong technological measures to safeguard sensitive information. This includes encrypting transmission of cardholder data, implementing secure networks and systems, and utilizing strong access control measures. By utilizing advanced technologies such as encryption algorithms, secure network protocols, and multi-factor authentication, organizations can ensure the protection of cardholder data throughout its lifecycle. Additionally, regular vulnerability management programs and adherence to security standards such as PCI DSS help organizations stay up to date with the latest security requirements and continuously assess and address potential vulnerabilities. The continuous evolution of technology is crucial in ensuring the continued protection of payment card transactions and maintaining the trust of consumers and card brands.

Encryption and tokenization

Encryption and tokenization are two important methods used to protect cardholder data in accordance with PCI DSS compliance standards.

Encryption involves the use of algorithms to convert plain-text cardholder data into unreadable, cipher-text format. This ensures that even if the data is intercepted or accessed by unauthorized individuals, it cannot be understood without the decryption key.

Tokenization, on the other hand, replaces sensitive cardholder data with randomly generated tokens. These tokens have no value or meaning outside of the specific system they are used in. The actual cardholder data is securely stored in a separate system, while the token is used for general business processes.

Both encryption and tokenization can be used in different parts of the payment card processing cycle. Encryption is commonly used to protect data in transit, ensuring the secure transmission of cardholder data across public networks. Tokenization is often used to protect stored data, minimizing the risk associated with storing sensitive information such as credit card numbers.

PCI DSS compliance requires the use of approved encryption and tokenization standards. Some of the approved encryption standards include AES (Advanced Encryption Standard) and TDES (Triple Data Encryption Standard), while tokenization standards include Format-Preserving Tokenization (FPT) and Secure Hash Algorithm 256 (SHA-256).

Implementing encryption and tokenization in a secure environment is crucial for protecting cardholder data, both during transmission and storage. These methods help to reduce the risk of data breaches and unauthorized access, maintaining the confidentiality and integrity of payment card transactions.

Secure systems and networks

PCI DSS (Payment Card Industry Data Security Standard) requires organizations to implement secure systems and networks to ensure the protection of cardholder data. This involves several key measures to mitigate the risk of unauthorized access and data breaches.

One vital element is firewall configuration. Organizations must have robust firewalls in place to control network traffic and prevent unauthorized access to cardholder data. Firewalls act as a barrier between external networks and the cardholder data environment, monitoring and filtering incoming and outgoing traffic. By properly configuring firewalls, organizations can restrict access to only necessary and trusted sources, reducing the potential for data compromise.

Another important aspect is the avoidance of vendor-supplied defaults for system passwords. Default passwords are often publicly known or easily guessable, making systems vulnerable to unauthorized access. PCI DSS mandates that organizations change these defaults and use strong, unique passwords for all systems and applications that handle cardholder data. This ensures that only authorized personnel can access sensitive information, reducing the risk of data breaches.

Furthermore, PCI DSS emphasizes the use of secure protocols like Transport Layer Security (TLS) to encrypt data transmissions. TLS ensures that cardholder data is securely transmitted between systems, protecting it from interception and unauthorized access. Implementing secure protocols adds an extra layer of protection to cardholder data, safeguarding it during the transmission process.

By implementing secure systems, networks, firewall configurations, and avoiding vendor-supplied defaults, organizations can meet PCI DSS requirements and effectively protect cardholder data from potential threats and unauthorized access.

Firewalls and anti-virus software

Firewalls and anti-virus software play a crucial role in achieving PCI DSS compliance, ensuring the protection of cardholder data. Organizations are required to install, maintain, and regularly update antivirus software to effectively combat malicious software and prevent data breaches.

Regularly scheduled scans are essential to detect and mitigate any potential threats. These scans identify viruses, malware, and other security vulnerabilities that could compromise the security of the cardholder data environment. Organizations must generate audit records to document the results of these scans and demonstrate compliance with PCI DSS requirements.

To maintain the integrity of the security measures, PCI DSS mandates restricting the ability to deactivate or modify antivirus software. This prevents unauthorized individuals from disabling or bypassing these critical protection measures.

Additionally, organizations must identify and classify vulnerabilities in their systems, such as buffer overflows and cross-site scripting. Compliance requires conducting regular vulnerability assessments and penetration testing, including web application penetration testing, to proactively identify and address any weaknesses in the security infrastructure.

By implementing and maintaining robust firewalls and up-to-date antivirus software, organizations can enhance their overall security posture and fulfill PCI DSS compliance requirements. These security measures protect against unauthorized access, malicious attacks, and data breaches, safeguarding sensitive cardholder data from potential threats.

Strong access control measures

Strong access control measures are a crucial component of the Payment Card Industry Data Security Standard (PCI DSS) to ensure the protection of cardholder data. Access controls refer to the policies, procedures, and technical mechanisms used to limit access to sensitive information. PCI DSS requires both physical access controls and logical access controls to be implemented effectively.

Physical access controls involve physical barriers and security systems to restrict access to areas where cardholder data is stored or processed. This includes measures such as access cards, surveillance cameras, and alarms. These controls ensure that only authorized personnel can physically access the cardholder data environment.

Logical access controls, on the other hand, focus on restricting access to cardholder data within computer systems and networks. This is achieved through user authentication mechanisms, such as passwords, biometrics, or multi-factor authentication. Access permissions are granted based on the principle of least privilege, which means that individuals are only given access to data and systems necessary for their job functions.

PCI DSS emphasizes the importance of implementing strong access control measures to prevent unauthorized access to cardholder data. This includes policies and procedures that outline the need-to-know basis for accessing cardholder data, ensuring that only those individuals who require the information for their job responsibilities have access.

Furthermore, identification and authentication of system components, such as servers and applications, play a key role in access control. Each component should have a unique identifier and be authenticated before granting access. This helps prevent unauthorized devices or systems from accessing cardholder data.

To strengthen access control measures, PCI DSS also requires restrictions on physical access to cardholder data. This involves measures such as securing physical access points, monitoring visitor access, and implementing video surveillance.

Payment processing environment covered by PCI DSS

The payment processing environment covered by PCI DSS refers to the ecosystem in which payment card transactions are processed, including the organizations, systems, and networks involved. PCI DSS, which stands for Payment Card Industry Data Security Standard, is a set of requirements and standards that organizations must adhere to in order to protect cardholder data and ensure secure payment processing.

The PCI DSS requirements encompass various aspects of security, including network security, access controls, encryption, vulnerability management, and monitoring. Organizations that handle payment card information are required to implement strong security controls to protect cardholder data from unauthorized access, misuse, or theft.

The PCI Security Standards Council (PCI SSC) is responsible for developing and maintaining the PCI DSS guidelines and standards. The PCI SSC is an independent organization created by major card brands, including Visa, Mastercard, American Express, Discover, and JCB International, to keep payment card data secure and promote consistent security standards globally.

The PCI SSC provides guidance and resources to help organizations understand and implement the PCI DSS requirements effectively. It also offers self-assessment questionnaires and conducts audits to ensure compliance with the standards. By adhering to the guidelines set by the PCI SSC, organizations can create a secure payment processing environment and minimize the risk of data breaches and fraudulent activities.

General thought leadership and news

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

In an era where digital threats loom larger by the day, the intersection of compliance and cybersecurity has never been more critical. For businesses...

AI Hype and GRC

Beyond the AI Hype: Crafting GRC Solutions That Truly Matter

In the relentless chase for innovation, it's easy to get caught in the dazzling allure of AI. Everywhere you turn, AI seems to be the silver bullet,...

Reflections from my time as Chief Digital Officer at KPMG

Reflections from my time as Chief Digital Officer at KPMG

Between 2016 and 2018 I held the role of Chief Digital Officer at KPMG, responsible for strategy and the development of software assets to underpin...

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

Summary 6clicks, a cyber governance, risk, and compliance (GRC) platform, has partnered with Microsoft to offer a privately hosted option of its...

6clicks Fabric - Hosted on private Microsoft Azure clouds

Empowering enterprises: Get in control with your own GRC SaaS platform-in-a-box

In today's dynamic business landscape, enterprises are constantly seeking innovative solutions to streamline their operations, improve the value they...

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

Robust cybersecurity measures and the effective and safe implementation of IT infrastructure are critical for organizations to successfully do...