Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

is Last 4-digits of credit card and Expiry Date storage allowed in PCI-DSS?

Tags:

We need to store last 4 digits of credit card, (in order to let customers know which card they have used?) and expiry date (to notify customers that their card is about to expire) for our subscription/recurring payment based SaaS application.

are those two data storage allowed in PCI DSS? Please answer with reference/link to official website or document.

Please note: We are not storing Name On Card and CVV numbers

like image 914
Kiran Beladiya Avatar asked Jun 19 '17 12:06

Kiran Beladiya

2 Answers

You should be ok w regard to PCI regulations.

This table lays out what data can be stored: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

"If required for business purposes, the cardholder’s name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements."

-edit- According to the bottom table in that doc, it says you should be able to store those elements. Since you are not storing full PAN, Regulation 3.4 shouldn't apply to the other elements.

If it helps, we got Level 1 certified and we store last 4 and expiration date in clear text. You don't need audited unless you are Level 1 (assuming Merchant here, not Service Provider).

like image 200
Matthew Allen Avatar answered Oct 13 '22 23:10

Matthew Allen

From what I am reading within the PCI Data Storage Do's and Don'ts PDF (https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf)

You are able to store the expiration date, service code, and cardholder name so long as you do NOT store the PAN.

Direct quote from the PDF:

These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require speci c protection of this data, or proper disclosure of a company’s practices if consumer- related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.

like image 27
Heath N Avatar answered Oct 13 '22 22:10

Heath N
Sign in to Comment

Related questions

Setting file permissions for created files in R
General Advice about When to Use Prop and When to use bool
using postgres with nodejs for connection pool
When to use a custom index rather than ordinary columns in Pandas
Getting eBay Access Token (Exchanging auth token) with python requests
Is it possible to make a property which listen to changes of custom objects in javafx?
SceneBuilder crashed upon startup
Resolve SSIS Package with Kingswaysoft error: Connection type "DynamicsCRM" is not recognized as a valid connection manager type
PostgreSQL RDS avoid hard coding the connection password when using dblink_connect()
Is a vector with incomplete type allowed if absolutely no member functions are called? If so, since when?
How to return 401 when Auth Token is missing in Django Rest Framework
Skipping user input using NPM test

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!