Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

is Last 4-digits of credit card and Expiry Date storage allowed in PCI-DSS?

Tags:

We need to store last 4 digits of credit card, (in order to let customers know which card they have used?) and expiry date (to notify customers that their card is about to expire) for our subscription/recurring payment based SaaS application.

are those two data storage allowed in PCI DSS? Please answer with reference/link to official website or document.

Please note: We are not storing Name On Card and CVV numbers

like image 914
Kiran Beladiya Avatar asked Jun 19 '17 12:06

Kiran Beladiya


2 Answers

You should be ok w regard to PCI regulations.

This table lays out what data can be stored: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

"If required for business purposes, the cardholder’s name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements."

-edit- According to the bottom table in that doc, it says you should be able to store those elements. Since you are not storing full PAN, Regulation 3.4 shouldn't apply to the other elements.

If it helps, we got Level 1 certified and we store last 4 and expiration date in clear text. You don't need audited unless you are Level 1 (assuming Merchant here, not Service Provider).

like image 200
Matthew Allen Avatar answered Oct 13 '22 23:10

Matthew Allen


From what I am reading within the PCI Data Storage Do's and Don'ts PDF (https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf)

You are able to store the expiration date, service code, and cardholder name so long as you do NOT store the PAN.

Direct quote from the PDF:

These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require speci c protection of this data, or proper disclosure of a company’s practices if consumer- related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.

like image 27
Heath N Avatar answered Oct 13 '22 22:10

Heath N