PCI Rules for Storing Credit Card Numbers in a Database

Many web developers and software programmers design platforms that require digital payments. It is important that developers of payments solutions understand how and why their solution handles cardholder data (CHD). There are many reasons why a solution might want to store that data, either short or long term, including payment processing, transaction history, or recurring billing. Consumers assume that merchants and financial solutions will handle this data in a secure manner to thwart theft and prevent unauthorized use. The reality is that many merchants may not be aware that they are storing CHD. Industry research indicates that up to 67% of merchants today are storing unencrypted cardholder data.

The Payment Card Industry Data Security Standard (PCI-DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.

A set of requirements set forth by the PCI Security Standards Council (PCI-SSC) and supported by the major card brands, PCI-DSS requirements apply to all entities that store, process or transmit cardholder data. PCI-DSS requirements state that cardholder data can only be stored for a “legitimate legal, regulatory, or business reason.” In other words: “If you don’t need it, don’t store it.”

Those with a legitimate business reason to store cardholder data must understand what data elements PCI-DSS allows them to store and what measures they must take to protect that data.

It is important to note that these statements apply to Cardholder Data (16-digit Primary Account Number, expiration date, cardholder name), and do not apply to Sensitive Authentication Data (Track Data, PIN, PIN Block, CVV). Sensitive Authentication Data (SAD) can never be stored after authorization.

If cardholder data is to be stored, PCI compliance requirements state the cardholder data must be rendered unreadable using industry-standard techniques.

Credit Card Data: What is Allowed to be Stored

Credit Card Data: What is Not Allowed to be Stored

Infographic discussing what developers need to know about storing credit card numbers
Infographic discussing what developers need to know about storing credit card numbers

PCI Requirements for Storage of Cardholder Data

Requirement three can be broken down over multiple sub-requirements. The overarching principle is that limiting, prohibiting, and deleting stored cardholder data eliminates a key target for cybercriminals. Merchants that do not store cardholder data are much less likely to suffer an expensive, time consuming, and reputationally damaging breach of their customers’ personal data.

It is important to know the definitions and differences between Account Data, Cardholder Data, and Sensitive Authentication Data. Account Data represents all the data that can be found on a credit card. Account Data is further broken down into either Cardholder Data (CHD) or Sensitive Authentication Data (SAD).

Cardholder data (CHD) includes the 16-digit PAN, expiration date, and cardholder name. This data is traditionally (but not always) represented on the front of the card. Storage of cardholder data should be limited to what is necessary to meet legal, regulatory, or business needs.

Sensitive Account Data (SAD) includes the sensitive track data held by the magnetic stripe, CVV, PIN, and PIN Block. This data can never be stored after authorization. The only entity that may store SAD is an issuer, and only under specific conditions and rationales.

PCI Rule 3.1

PCI Rule 3.2

PCI Rule 3.3

PCI Rule 3.4

  • Strong one-way hash functions of the entire PAN. Also called the “hashed index”, which displays only index data that point to records in the database where sensitive data actually reside.
  • Truncation. Removing a data segment, such as showing only the last four digits.
  • Index tokens with securely stored pads. An encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once.
  • Strong cryptography. Cryptography is defined as the use of mathematical formulas to render plain text data unreadable.

Rendering PAN data unreadable means that if an attacker were to get the data, it would be extremely difficult and time-consuming to decrypt the data. This means that data becomes essentially useless to attackers.

PCI Rule 3.5

PCI Rule 3.6


Global Payments Integrated helps businesses succeed by delivering secure and personalized payment solutions.