Cardholder Data (CHD)

Definition of Cardholder Data

Cardholder Data (CHD) refers to any personally identifiable information associated with a payment card transaction. Under the Payment Card Industry Data Security Standard (PCI DSS), CHD includes:

• Primary Account Number (PAN): The unique numeric code identifying the payment card account.
• Cardholder Name: The cardholder's full name as printed on the payment card.
• Expiration Date: The date indicating until when the card is valid.
• Service Code: A three-digit value encoded on the magnetic stripe, providing information about the card's usage limitations and requirements.

These elements are considered sensitive and must be protected to prevent unauthorized access and potential fraud.

Cardholder Data vs. Sensitive Authentication Data

While both Cardholder Data (CHD) and Sensitive Authentication Data (SAD) are critical in payment transactions, they differ in their nature and handling requirements:

• CHD: Includes the PAN, cardholder name, expiration date, and service code.
• SAD: Comprises data elements used to authenticate cardholders and authorize payment card transactions, such as card verification codes, full track data from magnetic stripes or chips, and PINs.

The key distinction lies in the storage and handling:

• CHD: May be stored if necessary for business purposes, provided it is protected according to PCI DSS requirements.
• SAD: Must never be stored after authorization, even if encrypted, as per PCI DSS guidelines.

PCI DSS Requirements for Cardholder Data

The PCI DSS outlines specific requirements to protect CHD:

1. Protect Stored Cardholder Data: Implement security measures such as encryption, truncation, masking, and hashing to protect stored CHD.
2. Encrypt Transmission of Cardholder Data: Use strong cryptography and security protocols to protect CHD during transmission over open, public networks.
3. Access Control Measures: Restrict access to CHD to only those individuals whose job requires it, and ensure proper authentication and authorization mechanisms are in place.
4. Regular Monitoring and Testing: Regularly test security systems and processes to identify vulnerabilities and ensure the effectiveness of security measures.
5. Maintain an Information Security Policy: Establish, publish, maintain, and disseminate a security policy that addresses the security requirements for protecting CHD.

Protecting Cardholder Information

To safeguard CHD, organizations should implement best practices such as:

• Data Encryption: Use strong encryption algorithms to protect CHD during storage and transmission.
• Tokenization: Replace sensitive data with unique identifiers (tokens) that have no exploitable value.
• Access Controls: Implement role-based access controls to ensure only authorized personnel can access CHD.
• Regular Audits: Conduct regular security audits and vulnerability assessments to identify and mitigate risks.
• Employee Training: Educate employees about data security best practices and the importance of protecting CHD.

Cardholder Data Related Terms

• Tokenization: A process that replaces sensitive data with unique identifiers, reducing the risk associated with storing CHD.
• Encryption: The process of converting data into a code to prevent unauthorized access.
• Access Control: Mechanisms that restrict access to data based on user roles and permissions.
• Data Masking: The process of obscuring specific data within a database to protect it.
• Compliance: Adherence to regulations and standards, such as PCI DSS, to ensure the protection of CHD.

Protecting Cardholder Data (CHD) is a primary objective of the PCI DSS. Organizations that handle payment card transactions are required to implement stringent security measures to safeguard CHD from unauthorized access, use, and disclosure. The PCI DSS provides specific requirements for the protection of CHD, including encryption, secure storage, access controls, network segmentation, and regular monitoring.

It is important to note that the PCI DSS encourages organizations to minimize the storage and retention of CHD to reduce risk. Implementing data minimization practices and securely disposing of unnecessary CHD helps limit the potential impact of data breaches.

By understanding and properly handling Cardholder Data (CHD), organizations can ensure compliance with the PCI DSS and protect the privacy and security of individuals' payment card information.