|Data Element||Storage Permitted||Protection Required||PCI DSS Req. 3.4|
|Cardholder Data||Primary Account Number (PAN)||Yes||Yes||Yes|
|Cardholder Name||Yes||Yes 1||No|
|Service Code 1||Yes||Yes 1||No|
|Expiration Date 1||Yes||Yes 1||No|
|Sensitive Authentication Data 2||Full Magnetic Stripe Data 3||No||N/A||N/A|
1 These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.
2 Sensitive authentication data must not be stored after authorization (even if encrypted).
3 Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.
SummaryThe card holder data where storage is permitted must be encrypted per PCI requirements.
Furthermore, the entire system hosting the data store must adhere to PCI requirements.
If your site stores credit card information, then your site is a target.
Alternatives include storing credit card information at your processing gateway or using a Tokenization service to actually store the credit card information.