What Is Cardholder Data & Why Does It Matter?

When it comes to payment processing, security matters. After all, every time you handle a credit card, your customer is trusting you with their financial information. By now, you have probably come across the term PCI compliance on your monthly processing statements, and you know it’s a data-security related term. A little digging on the internet reveals that PCI compliance is complicated and the subject matter is full of acronyms and industry jargon.

One term often associated with PCI compliance is cardholder data. Even though the term is a small part of the overall PCI compliance scheme, it is a fundamental building block term. Understanding what cardholder data encompasses will help you navigate more smoothly as you learn more about the complicated world of PCI compliance.

What Does Cardholder Data Include?

Even from its plain meaning, cardholder data suggests that the data includes information on both the front and the back of a credit or debit card. Formally, cardholder data is defined as:

• The primary account number (PAN).
• And may include:
  • Cardholder name.
  • Expiration date.
  • Service code.
  • Other sensitive authentication data used to authenticate cardholders and/or authorize payment card transactions, including, but not limited to, card validation codes/values, full track data from the magnetic stripe or chip on a card, PINs, and PIN blocks.

Cardholder data, therefore, could include most of the information on the payment card itself, whether plainly visible like the PAN or stored in the magnetic strip or on the chip of the card.

Cardholder Data & Maintaining PCI Compliance

Knowing the definition of cardholder data is one thing, but this knowledge is useless without understanding how cardholder data fits into the overall scheme of PCI compliance.

Basically, cardholder data includes all the information on a credit or debit card that’s needed to transfer money from one party to another. Unfortunately, where there is money, there are thieves. So, some years ago, the larger credit card companies banded together to form the PCI Security Standards Council. The Council’s job is to formulate data security rules and best practices so that the storage and transmission of credit and debit card information from the cardholder to the merchant to the banks — and everywhere in between — can be secure.

How Cardholder Data PCI Compliance Rules Affect Merchants

As a small business merchant, not all of the PCI compliance rules apply to you. For the rules that do apply, failure to follow them means getting a fine, usually from your processor. However, note that there are other country- or state-specific data security and privacy laws that might apply to merchants as well. Often, the laws require the holder of the information to take reasonable steps to keep the information safe. Failure to comply with the laws often results in a fine, but sometimes can result in heavier punishments like an injunction. Since the PCI Security Standards Council’s rules are typically more stringent and detailed, it is easier for a merchant to simply follow the PCI Security Standards Council’s compliance rules and best practice suggestions. Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) specifically addresses cardholder data.

Different Rules For Storing Or Not Storing Cardholder Data After A Transaction

There are several ways a merchant could choose to handle cardholder data. As a threshold matter, we assume that you already use PCI compliant card readers, point of sale terminals, and encryption software for transmitting the cardholder data to your processor.

A customer might pay in person, pay over the phone, or pay through a web interface. As long as you do not keep the cardholder data on file (whether stored electronically or even just temporarily scribbled on a piece of paper), then you are in compliance with PCI requirements for cardholder data. If, however, you do wish to keep cardholder data on file so you can, for instance, provide your customers a faster checkout, then there are additional PCI rules and best practices you must follow.

To keep the cardholder data on file, a merchant has two basic choices: keep the cardholder data in a computer system at the business (all the while making sure everything is PCI compliant), or hire a third-party service to keep the data on their server while only keeping a token at the business.

With the former, the merchant must follow additional complex requirements for both hardware and software set out by the PCI Security Standards Council. Typically, this method is only employed by larger businesses that have the money and personnel to maintain the hardware and software. With the latter, it is possible to keep the cardholder data with a third-party service provider that is already PCI compliant. Rather than the cardholder data, you only keep a token that can eventually be matched to the cardholder data. Recently, credit card tokenization has become a more popular choice because a token is not cardholder data so is not subject to the same PCI compliance rules as cardholder data.

Protect Cardholder Data With Tokenization

We have an article explaining the details of tokenization, but, briefly, payment card tokenization is a process that takes the cardholder data and assigns it a random series of numbers and (sometimes) letters called the token. The cardholder data is stored in a highly secure electronic vault using PCI compliant hardware and software. Only the owner of the vault has the ability to match the token with a specific cardholder data.

As a business owner, all you have stored in your system is the token. In order to access the rest of the payment card information, you must send the token to the vault holder to retrieve the actual cardholder data before sending the information onward for further payment processing. If you experience a data breach, then all you have to do is notify your storage company so they can assign new tokens to you. The cardholder data should be secure as long as you quickly find and notify the storage company of the breach.

From a practical standpoint, with tokenization, you won’t have to worry about PCI compliance because you don’t have the cardholder data on your premises. All the encryption and data security required to be PCI compliant are farmed out to a third party, leaving you time to concentrate on running your business.

Protecting Cardholder Data Protects Your Business

If you are a merchant who accepts credit or debit cards, then you will be handling cardholder data. If you wish to store this information, both industry rules and public laws require you to handle this information in a highly secure manner and in very specific ways. Failure to protect cardholder data could subject you to fines or even harsher penalties under the law. Not only that, because the law requires you to report data breaches and notify your customers, you would have to fight the bad publicity associated with such a breach, and your business’s reputation will suffer. Protecting cardholder data, therefore, translates directly to protecting your business.

Fortunately, there are payment processors and third-party tokenization providers who can help you simplify PCI compliance and make it easy for you to protect cardholder data with secure, easy-to-use software. Reputable payment processors and tokenization providers are also mindful of their own practices on who can access cardholder data and stand behind their practices.

What’s your experience with handling cardholder information? Do you keep the information in-house, or do you take advantage of third party storage services?