When it comes to handling payment cardholder data, PCI DSS has many rules about what you must and must not do when it comes to handling payment data. But the most stringent requirements apply to sensitive authentication data (SAD).
So, what exactly is SAD, cardholder data (CHD), the differences between the two, and the rules related to both?
Cardholder Data (CHD)
As defined by the PCI Security Standards Council, CHD is the data allowed to be retained after a transaction validation. A transaction is considered processed once it has been either approved or declined. CHD is limited to the cardholder's name, the payment card's expiry date, and the primary account number (PAN), which must be encrypted if retained. The key is the phrase 'after a transaction validation' Even if a transaction fails or is declined, it has been processed, and therefore the only data that can be retained is CHD, nothing else.
Sensitive Authentication Data (SAD)
The most common SAD element is the card verification code/value (i.e., CVC, CVV, CID), the three or four-digit code on the front or back of the card. When conducting a payment transaction, a point-of-sale card terminal also reads the PIN and track data from the magnetic tape stripe or the EMV chip.
The critical security attribute of SAD is that once a transaction is processed, SAD MUST BE securely deleted from disk, device memory, telephone recordings, physical documents - anywhere it may exist. The bottom line is that SAD cannot be retained under any circumstances once a transaction is processed.
Example - Handling SAD
A typical how-to example of handling SAD is an organization that processes mail order transactions. A customer's order form specifies payment card information that includes the card verification value (CVV).
A merchant is obligated to securely store these forms until an authorized person processes the order and the payment. Once the payment has been processed, the card information must be securely redacted from the record.
Redaction can be accomplished in several ways. The first way is low tech and uses a black Sharpie marker, blacking out the PAN, CVV, and any other sensitive information, taking a copy of the form, and then securely shredding the original document. Another option is designing the form so that the payment information is on the bottom, where it can be easily torn off and shredded, leaving the rest of the form safe for filing.
The PCI Assessment Process
As part of the PCI assessment process, PCI DSS requires that an organization prove that it does not store SAD anywhere in its environment. Organizations scan systems for SAD and prove that it does not exist on out-of-scope systems.
If scanning finds SAD where it does not belong, the organization must remediate that situation before a PCI assessment can be considered compliant.
The PCI DSS requires that an organization prove that it only has CHD in its environment where it is expected to be. Such proof is often evidenced by scanning systems for CHD and proving that CHD only exists in the defined cardholder data environment (CDE). Several commercial and open-source utilities can conduct these scans, including most data loss prevention (DLP) solutions.
If scanning finds CHD where it does not belong, the organization must remediate that situation before a PCI assessment can be considered compliant.
If an organization is retaining PAN, the PAN must be encrypted, and access to the encrypted PAN restricted to only personnel with a need to know.
And there we have it, the definitions and some of the rules regarding SAD and CHD. But the most important recommendation of all is to do everything you can not to store SAD.
If you must store CHD, you need to ensure the security of the CHD and minimize the access to CHD to only those personnel that need access.
PCI DSS compliance can be expensive. You can reduce effort and cost by relying on a vendor to deal with it for you. Let them deal with compliance so you can invest in your business.
The Truvantis® team comprises PCI DSS experts and Qualified Security Assessors with extensive experience as a trusted partner for compliance and validation. Outsourcing your payments, segmenting your networks, tokenizing your data, use P2PE/E2EE solutions –all are great ways to reduce your costs. But the devil is in the details –contact Truvantis to make sure you get it right