Scribd
Upload
141 views

Location of Cardholder Data and Sensitive Authentication Data

Sensitive authentication data consists of magnetic stripe data, card validation codes, and PINs. Storage of sensitive authentication data is prohibited as it can be used to create fake payment cards and fraudulent transactions. The document shows pictures of the front and back of a credit card indicating the location of cardholder data and sensitive authentication data, such as the magnetic stripe, chip, card validation code, and PIN.

Uploaded by

Spiroiu Liviu
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
141 views

Location of Cardholder Data and Sensitive Authentication Data

Sensitive authentication data consists of magnetic stripe data, card validation codes, and PINs. Storage of sensitive authentication data is prohibited as it can be used to create fake payment cards and fraudulent transactions. The document shows pictures of the front and back of a credit card indicating the location of cardholder data and sensitive authentication data, such as the magnetic stripe, chip, card validation code, and PIN.

Uploaded by

Spiroiu Liviu
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Location of Cardholder Data and Sensitive Authentication Data

Sensitive authentication data consists of magnetic stripe (or track) data , card validation code or value , and PIN data . Storage of sensitive authentication data is prohibited! This data is very valuable to malicious individuals as it allows them to generate fake payment cards and create fraudulent transactions. See PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for the full definition of sensitive authentication data. The pictures of the back and front of a credit card below show the location of cardholder data and sensitive authentication data.
3 4 5

Note: The chip contains track equivalent data as well as other sensitive data, including the Integrated Circuit (IC) Chip Card Verification Value (also referred to Chip CVC, iCVV, CAV3 or iCSC).

Data encoded in the magnetic stripe used for authorization during a card-present transaction. This data may also be found on a chip, or elsewhere on the card. Entities may not retain full magnetic stripe data after transaction authorization. The only elements of track data that may be retained are the primary account number, cardholder name, expiration date, and service code. The three- or four-digit value printed on or to the right of the signature panel or on the face of a payment card used to verify card-not-present transactions. Personal Identification Number entered by cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message.

4 5

Navigating PCI DSS: Understanding the Intent of the Requirements, v2.0 Copyright 2010 PCI Security Standards Council LLC

October 2010 Page 8

Track 1 vs. Track 2 Data


If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic-stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world. Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties. The below illustration provides information about Track 1 and Track 2 data, describing the differences and showing the layout of the data as stored in the magnetic stripe.

Track 1

Track 2

Contains all fields of both track 1 and track 2 Length up to 79 characters

Shorter processing time for older dial-up transmissions Length up to 40 characters

Note: Discretionary Data fields are defined by the card issuer and/or payment card brand. Issuer-defined fields containing data that are not considered by the issuer/payment brand to be sensitive authentication data may be included within the discretionary data portion of the track, and it may be permissible to store this particular data under specific circumstances and conditions, as defined by the issuer and/or payment card brand. However, any data considered to be sensitive authentication data, whether it is contained in a discretionary data field or elsewhere, may not be stored after authorization.

Navigating PCI DSS: Understanding the Intent of the Requirements, v2.0 Copyright 2010 PCI Security Standards Council LLC

October 2010 Page 9

You might also like