Cardholder data, or the information associated with a particular credit card or debit card, is incredibly valuable to bad actors who can use it to commit fraud and theft. 

In fact, from 2017 to 2019 and once again in the first half of 2022, credit card fraud was the most common type of identity theft

PCI DSS set new standards for payment data protection in order to prevent these illegal activities. In order to comply with them, merchants and service providers must understand what is considered cardholder data and how to protect this data under PCI DSS.

PCI merchant vs. service provider

Before determining your PCI DSS level, you must identify which category your business falls into: merchant or service provider. 

Merchants are businesses that accept card payments from any of the five members of the PCI Security Standards Council (American Express, Discover, JCB, MasterCard, or Visa). 

Service providers are not card payment brands, but can be directly involved with the processing, storage, and transmission of cardholder data on behalf of a merchant, generally impacting the security of their customers' cardholder data. 

Service providers also include companies that provide services that could impact the security of cardholder data. Examples of service providers include managed service providers that offer managed firewalls and hosting providers.

The payment card brands split merchants and service providers into different reporting levels based on the number of transactions they handle in a given year. Let’s take a look at the levels for each group below.

Cardholder Data Under PCI DSS

Under PCI DSS, cardholder data is defined as the full Primary Account Number (PAN). The following information — cardholder name, expiration date, and service code — are also considered cardholder data when managed with the full PAN. 

Under PCI DSS requirement 3, organizations can store full primary account numbers,  cardholder names, expiration dates, and service codes. However, organizations cannot store sensitive authentication data after authorization unless this organization is an issuer.

Sensitive Authentication Data

Under PCI DSS, sensitive authentication data is security-related information used to authenticate cardholders and/or authorize payment card transactions. Examples include card validation codes/values such as CVV2 and CVC2 data, full track data from the magnetic stripe or the equivalent on a chip, personal identification numbers (PINs), and PIN blocks. 

These additional data elements may be transmitted or processed as part of a payment transaction, but cannot be stored after authorization under PCI DSS unless you are an issuer.