Every day, businesses process millions of payment card transactions, collecting vast amounts of sensitive data. The question of what payment card data are we allowed to store is not just a technical detail; it is the cornerstone of customer trust and regulatory compliance. Understanding the precise boundaries of what can be retained, how it must be protected, and the severe consequences of overreach is essential for any organization that handles electronic payments.
The Core Prohibition: The Primary Account Number (PAN)
The central rule governing stored card data is the protection of the Primary Account Number (PAN). This is the unique string of digits identifying the card issuer and account number, essentially the card’s serial code. While the complete PAN is highly sensitive, regulations do not outright ban its storage. However, if you choose to store the full PAN, you assume significant responsibility for its security. The focus shifts from simple storage to implementing robust, multi-layered security protocols that render the data unreadable to unauthorized parties, effectively making the storage of the PAN a high-risk decision that must be justified by a clear business need.
Permitted Storage: Tokenization and Truncation
To mitigate risk, the industry strongly favors methods that obscure the actual PAN. Tokenization replaces the sensitive number with a unique identifier, or token, that has no extrinsic or exploitable meaning. This token is useless to a hacker, as it cannot be reverse-engineered to reveal the original card details without access to the secure token vault. Similarly, truncation involves storing only a portion of the PAN. Most commonly, merchants display and store only the last four digits on receipts and in internal systems. This practice satisfies the requirement to reference a specific transaction without exposing the full account number, striking a balance between utility and security.
Strictly Forbidden: Sensitive Authentication Data
Beyond the PAN, there is a category of data that is strictly forbidden from being stored after authorization. This is known as Sensitive Authentication Data (SAD) and includes critical elements that verify a cardholder’s identity during a transaction. Under the Payment Card Industry Data Security Standard (PCI DSS), it is prohibited to store the magnetic stripe data (Track 1 or Track 2), the full magnetic stripe, the Card Verification Value (CVV2, CVC2, or CID), and Personal Identification Number (PIN) blocks. These pieces of information are the prime targets for fraudsters, and their retention creates an unacceptable level of risk that violates the core principles of payment security.
Allowed Retention of SAD: The Exception for Physical Transactions
It is important to note the narrow exception to the SAD storage ban. This prohibition applies specifically to electronic storage. For merchants who process transactions manually, such as in a card-not-present environment, the physical receipt or a paper equivalent may temporarily hold this data. However, this physical documentation must be securely destroyed, burned, or pulverized immediately after authorization is complete. The rule is clear: the primary goal is to ensure that this highly sensitive data does not reside in databases or digital files where it can be easily compromised.
Transaction Data and Receipts: What You Can Keep
While sensitive authentication data is off-limits, other transaction-related information is not only allowed but necessary for business operations. You are permitted to store the date and time of the transaction, the transaction amount, and a unique transaction identifier provided by the payment processor. These details are crucial for reconciliation, dispute resolution (chargebacks), and customer service. Furthermore, legally compliant receipts can display the cardholder’s name, the transaction amount, the date, and the last four digits of the card, ensuring that necessary documentation exists without crossing into sensitive territory.
