WHAT IS REALLY ON YOUR PAYMENT CARD? THE IMPORTANCE OF PCI DSS CARD ACCOUNT DATA

At 16, I got my very first ATM card (Debit card). It seemed like one of my most treasured achievements and possessions.

I protected the card with all secrecy, as I’ve been told by the issuer not to divulge any of the card detail to anyone. I did just as instructed.

My name was on it, a number was on it too, the expiration date was also on it. But did I know the importance of the information on this card? No. I only know my money could be stolen if an outsider knows my card details.

Card Account Data (CAD) is the core of the PCI DSS standard.

Now, let’s take a closer look at the concept of Card Account Data (In my last week post, I talked about the background of the Payment Card industry Security Standard PCI DSS, see link).

In the context of the Payment Card Industry Data Security Standard (PCI DSS), the Card Account Data (CAD) are vital and important information that a payment card contains. These set of data and information enable seamless processing of data on the card.

Before we proceed, take a look at the name on your card, the number on it, its expiration date amongst others.

All these are data elements Card Account Data and all have their individual importance.

The CAD, based on sensitivity and importance is divided into two distinct categories, namely;

1. Cardholder Data (CHD)

2. Sensitive Authentication Data (SAD)

- CARDHOLDER DATA (CHD)

?Refers for the Primary Account Number (PAN) on the card. It also encompasses data that are associated with the PAN, these include

Primary Account Number (PAN)

Cardholder Name

Expiration date

Service code

Meanwhile, it is not enough to just know these terminologies. Let us dig deeper into their uses and importance.

Primary Account Number (PAN): According to Stripe, A primary account number is the technical term for a payment card number. This is usually a series of 12 - 19 digits encoded on a payment card. The PAN is assigned by a financial institution to a cardholder account; the PAN is a vital piece of data that facilitated communication between entities involved in a payment. The importance of PAN include the following;

·???????? Transaction initiation

·???????? Data transmission

·???????? Validation checks

·???????? Transaction approval.

Service Code: According to the PCI DSS, the service code is a three or four-digit value in the magnetic stripe that follows the expiration date of the payment card on the tracked data. Its importance include:

·???????? Defining service attribute

·???????? Differentiating between international and National interchange

·???????? Identifying usage restrictions.

How’s the Cardholder Data Protected?

The cardholder data according to PCI DSS must be secured and protected at different stages of their lifecycle (storage, processing and transmission). PCI DSS requirement 3 prescribes strategic measures which organizations can store and protect the cardholder data.

For instance, organizations can store Primary Account Number (PAN), cardholder name, expiration date and service code after authentication, although encryption measures must be in place to render these data unreadable.

Also, account data storage must be kept to the minimum through the implementation of data retention and disposal policies, procedures and processes.

Reference: PCI DSS Requirement 3: Protect Account Data.

-?SENSITIVE AUTHENTICATION DATA (SAD)

I believe you’re familiar with the 3-digits you input whenever you want to perform an online transaction with your card, and you can see the black stripe at the back of your card. Be sincere, what do you think they are for?

Well, these are the sensitive authentication data that the card account encompasses.

Sensitive Authentication Data (SAD) is security-related information used to authenticate cardholders or authorize payment card transactions.

Set of data in this category include:

Card Validation Values (CVV2) or Codes (CVC2): According to Stripe, the CVV codes are the three-digit codes at the back of your card (exception of American Express cards, which use a four-digit sequence). This code proves your card’s validity, and makes it more difficult for fraudulent actors and hackers to use your stolen card number. This provides protection not only to the cardholder (securing their funds) but also to their business (protecting them from financial and reputation risk). This code is used to verify that a cardholder had physical access to the card they are using.

Full track data from the magnetic stripe: This refers to the data encoded in the magnetic stripe (the black portion at the back of your card). It is used for authentication and authorization during payment.

Protection of the Sensitive Authentication Data (SAD)

PCI DSS mandates that the data elements that belongs in the SAD category cannot be stored after authorization, even during authorization process, the SAD data elements must be in encryption and unreadable.

The only exception to this is if such payment entity belongs to the issuer category

To further understand the protection of Card Account Data, check out the PCI DSS Requirement 3 with its recommendations and step by step guides to implement the controls.

?

From all indications, the Card Account data is one if not the major concern of the PCI DSS. The Account Data is meant to be protected and secured by both the issuer and the cardholder.

You just might be bothered about the reason behind being protective of the account data. This is why you should connect with me so you can get updated next week when I’d be talking about the ways through which malicious actors exploit the cardholder data and turn into monetary profits for them.

Until next week, make sure you keep your card data safe.

Olamide Matthew Aderibigbe.

10-09-24.