The Do's and Don'ts of PCI Data Storage

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards developed by the PCI Security Standards Council. PCI-DSS is comprised of twelve requirements focused on protecting cardholder data. Requirement 3 of the PCI-DSS directs merchants to “protect stored cardholder data.” Merchants and service providers should first aim to eliminate or limit storage of cardholder data. When data storage is necessary, this data must be stored securely and according to the individual PCI compliance requirements.

What Is Cardholder Data?

Cybercriminals are looking to steal account data by compromising merchants and service providers. This data is classified as either Cardholder Data (CHD) or Sensitive Authentication Data (SAD).

Cardholder Data (CHD) is typically data that is printed on the front of the card. This includes the primary account number (PAN), cardholder name, and expiration date. Sensitive Authentication Data includes the CVV code, track data contained in the magnetic stripe, PIN/PIN Block, and EMV chip data.

What Cardholder Data Can and Can’t Be Stored

Sensitive authentication data cannot be stored after authorization. Storage of cardholder data must be limited to that which is required by legal, regulatory or business needs.

PCI Data Storage: Do's

Do: Know the flow of payment card data throughout the transaction process.

Merchants and service providers must be aware of the flow of account data throughout the transaction process. Merchants are responsible for developing data retention policies and understanding which systems may affect the security of account data.

Do: Use strong cryptography to render unreadable cardholder data that is stored.

If cardholder data is stored, it must be rendered unreadable using one of the accepted methods listed in PCI-DSS required 3.4. This must be done through either one-way hashes, truncation, index tokens and pads, or strong cryptography including requirements for key management and strength at or above industry standards.

Use industry-tested and accepted hashing algorithms for encryption including SHA-1, AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher) along with layered security technologies to minimize the risk of data compromise. Additionally, merchants must have a methodology for secure deletion and a quarterly process to identify the presence of cardholder data stored outside of the retention policy.

Do: Follow PCI DSS requirements, validated by yourself or outside assessment.

All merchants and service providers involved in the storage, processing, and transmission of account data must validate PCI compliance. The PCI-DSS is a list of requirements designed to limit the possibility of exposure of account data. This exposure is typically the result of malicious actors looking to compromise merchants through physical means, or more commonly, through the use of malware. Small merchants can validate PCI compliance through a self-assessment questionnaire, or SAQ, process. Larger merchants and service providers should engage a third party Qualified Security Assessor to validate compliance with all PCI requirements.

Do: Be sure to report regularly as a part of mandated PCI DSS compliance.

Merchants are required to validate compliance annually. Merchants should submit evidence of compliance to their acquiring bank in accordance with that acquiring bank’s PCI compliance program.

Do: Ensure third parties who process customers' payment cards comply with the PCI DSS as applicable.

Merchants are always responsible for the security of their customers’ account data. In cases where a merchant has engaged with a third party that can affect the security of that data, they must validate the PCI compliance of those entities. If a third party service provider has not validated PCI compliance, the services provided must be validated as part of the merchant’s PCI validation. A service provider must provide the merchant with clear access and password protection policies.

PCI Data Storage: Don'ts

Don't: Store cardholder data unless necessary.

Merchants can never store sensitive authentication data after authorization. Merchants can store cardholder data, but should only do so when absolutely necessary for legal, regulatory or business purposes. Stored cardholder data is a target for cybercriminals looking to steal this data and use it to perform fraudulent transactions. For card-on-file or recurring billing transactions, merchants should take advantage of tokenization services.

Don't: Store sensitive authentication data contained in the payment card's chip or magnetic stripe.

Data contained in the EMV chip and magnetic stripe, as well as the 3 or 4 digit validation code (CVV) and PIN/PIN Block, are considered sensitive authentication data and cannot be stored.

Don't: Print or display cardholder data that is not adequately masked.

Merchants must not print the expiration date or unmasked primary account number on receipts. The primary account number should be masked whenever printed or displayed, with the maximum number of digits being the first six and last four digits.

Don't: Store payment card data in unprotected endpoint devices or send data through chat, messaging or other end-user messaging services.

Cardholder data must only be stored in a secure environment that is not accessible to the public internet. This data cannot be stored on unprotected endpoint devices such as a phone, laptop, or PC. This data must also not be sent through chat, messaging or other end-user messaging services.

Don't: Locate servers/payment card system storage devices outside of fully-secured rooms.

Access to any systems that store cardholder data must be restricted appropriately. This includes access control measures that include visitor logs, physical access controls and video monitoring. Databases that store cardholder data cannot be available to the public internet.

Don't: Engage in data security practices that violate the PCI DSS regulations, following the goals established by the Council.

Merchants that fail to comply with the PCI-DSS requirements are much more likely to become a victim of a data breach. Validating PCI compliance and developing robust policies and procedures to protect or eliminate stored cardholder data is the best way to avoid a costly data breach.


Service providers and merchants should limit the storage of cardholder data. When they must store data, it needs to be stored securely and in accordance with PCI requirements. Taking these proper precautions can help prevent damaging and costly data breaches. OpenEdge can help walk you through PCI data storage requirements - contact us today.

PCI data storage do's and don'ts infographic

Richard Rohena

Manager of PCI Compliance Services

Richard is the Manager of PCI Compliance Services with Global Payments Integrated, providing developers of credit card payment solutions and merchants with a deep understanding of the Payment Card Industry Data Security Standard (PCI-DSS). He has over 8 years of experience working directly with developers and merchants to implement secure payment solutions in a manner compliant with the PCI-DSS.

View Profile

Richard Rohena