Table of contents
Purpose
This document establishes a formal standard for the protection of cardholder data within Cardholder Data Environments (CDE) and outlines the related requirements specified in the Payment Card Industry Data Security Standards (PCI DSS) that must be implemented into all UMD network infrastructures that are processing cardholder data.
Additional authority
The following standards help guide the content of this document: Payment Card Industry Data Security Standard - Requirement 3
Scope
This standard applies to all UMD IT elements that are attached to a Cardholder Data Environment (CDE) network. All systems processing cardholder data full Primary Account Number (PAN) or full PAN plus any of the following: cardholder name, expiration date, service code, information from magnetic strip or card chip, and/or Personal Identification Number (PIN) must only be connected to a designated CDE network. Further, this standard also applies to all forms of storage media including paper.
Standard
Cardholder data must not be stored unless it is necessary to meet the needs of business and then only within the confines of the CDE network. Entities accepting payment cards are expected to protect cardholder data and to prevent its unauthorized use. It is crucial that organizations storing cardholder data render it unreadable.
NOTE: As a general rule, every PCI Standard should be reviewed annually and updated as needed to reflect changes to business objectives or the risk environment.
Requirements
- Limit cardholder data storage and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in your data retention policy. Purge unnecessary cardholder data at least quarterly.
- Do not store sensitive authentication data after authorization, whether encrypted or not. Render all sensitive authentication data unrecoverable upon completion of the authorization process. The chart at the end of this standard outlines obligations for different data elements.
- Mask PAN when displayed (the first six and last four digits are the maximum that can be displayed). This does not supercede stricter requirements for point-of-sale receipts.
- The PAN must be rendered unreadable anywhere it is stored. This includes portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions include a strong one-way hash of the entire PAN, truncation, or strong cryptography.
- Procedures to protect any keys used for encryption of cardholder data must be documented and implemented.
- Key management processes and procedures must be fully documented for cryptographic keys used to protect cardholder data.
- Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
Guidelines for cardholder data elements
| Data types | Data element | Storage permitted | Render stored data unreadable per 3.4 |
|---|---|---|---|
| Cardholder Data | Primary Account Number | Yes | Yes |
| Cardholder Name | Yes | No | |
| Service Code | Yes | No | |
| Expiration Date | Yes | No | |
| Sensitive Authentication Data | Full Track Data | No | Cannot store per 3.2 |
| 3 or 4 Digit Security Code | No | Cannot store per 3.2 | |
| PIN/PIN Block | No | Cannot store per 3.2 |