Credit Card Data Storage and PCI Compliance

Some credit card data can be stored by an e-commerce site assuming adequate security measures are implemented.

	Data Element	Storage Permitted	Protection Required	PCI DSS Req. 3.4
Cardholder Data	Primary Account Number (PAN)	Yes	Yes	Yes
	Cardholder Name	Yes	Yes 1	No
	Service Code 1	Yes	Yes 1	No
	Expiration Date 1	Yes	Yes 1	No
Sensitive Authentication Data 2	Full Magnetic Stripe Data 3	No	N/A	N/A
	CAV2/CVC2/CVV2/CID	No	N/A	N/A
	PIN/PIN Block	No	N/A	N/A

1 These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.

2 Sensitive authentication data must not be stored after authorization (even if encrypted).

3 Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.

Summary

The card holder data where storage is permitted must be encrypted per PCI requirements.

Furthermore, the entire system hosting the data store must adhere to PCI requirements.

If your site stores credit card information, then your site is a target.

Alternatives include storing credit card information at your processing gateway or using a Tokenization service to actually store the credit card information.

References

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

https://www.pcisecuritystandards.org/documents/pci_ssc_quick_guide.pdf

http://en.wikipedia.org/wiki/Tokenization_(data_security)