The rules about keeping 16-digit card numbers, CVV, and expiration dates.

Brand Barney, Security Analyst, SecurityMetrics
By: Brand Barney
Payment card data is one of my favorite discussion topics with merchants. It doesn’t matter who they are, how big their organization is, or how many years they’ve been in business, so many businesses store card data inappropriately (and often unknowingly!)

SEE ALSO: Infographic: 63% of Businesses Don't Encrypt Credit Cards

Everyone loves fails, am I right?Here’s a great (and true) security fail to illustrate bad card data storage.

One of my colleagues visited a customer to get some information about how they processed their credit cards. They told him how their secretary had a secure way of storing the inner-office credit cards. The secretary proudly explained,
“Well, first I put all the card numbers and expiration dates in an Excel spreadsheet. Then I grab the column and scroll it over and it ‘encrypts’!”
Bless her heart. That secretary thought she had “encrypted” their credit cards because they showed up as a line of asterisks.

Encryption Fail
Encryption fail...
Watch the video to learn more about what card data you can and can’t store.


Want to see more vids like this? Subscribe on YouTube for more security tips.

Let me summarize.

If it’s encrypted: here’s what you’re allowed to store:

  • PAN (Primary Account Number) (e.g., 16 digit number on front of card)
  • Cardholder name (e.g., John Smith)
  • Expiration date (e.g., 5/18)
  • Service code (Note: You can’t actually see this data on a physical card because it resides in the magnetic stripe)

Even if it’s encrypted, you can NEVER store:

  • Sensitive authentication data (i.e., full magnetic stripe info)
  • PIN
  • PIN block (i.e., the encrypted PIN)
  • Card validation value (CVV), also known as three/four-digit service code or card security code
SEE ALSO: Is Your Credit Card Data Leaking?

Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.