Every transaction leaves a digital trace, and for businesses, the question of what to retain is as critical as the transaction itself. The short answer to what payment card data you are allowed to store is that the scope is intentionally narrow, governed by the strict rules of PCI DSS and reinforced by legal frameworks like PCI PTS and regional regulations. You are permitted to store cardholder data only to the absolute minimum necessary for fulfilling the transaction, settling disputes, or complying with a legal mandate, and even then, the storage format dictates your level of responsibility. The guiding principle is clear: if you do not need it to process the transaction or prove its occurrence, it should never touch your servers.
Understanding Payment Card Data Categories
To determine what you can store, you must first understand the distinct categories defined by the Payment Card Industry Data Security Standard (PCI DSS). The first category is Cardholder Data (CHD), which is the sensitive information that appears on the physical card, including the Primary Account Number (PAN), the cardholder's name, the expiration date, and the service code. This is the data that must be protected at all costs, as its compromise leads directly to fraud. The second category is Sensitive Authentication Data (SAD), which is the cryptographic key to the card but is strictly forbidden from being stored post-authorization. This includes magnetic stripe data, CVV/CVC codes, and PINs. The final category is Personally Identifiable Information (PII), such as a customer's billing address or phone number, which is not on the magnetic stripe but is often linked to the account for verification purposes.
The Golden Rule: Storage of the Primary Account Number (PAN)
The cornerstone of what you can store revolves around the Primary Account Number (PAN). You are allowed to store the PAN, but you must never store it in clear text. If you must retain the number for recurring billing or reconciliation, it must be rendered unreadable through strong cryptography or truncation. Truncation means displaying only the first six and last four digits, while the middle digits are replaced with tokens or asterisks (e.g., ****-****-****-1234). If you store the full PAN, even if it is encrypted, you assume the highest level of responsibility for its protection, which requires rigorous key management and audit trails that most small to medium businesses cannot feasibly maintain.
What Sensitive Authentication Data (SAD) You Can Never Store
While there is flexibility with PANs, the rules for Sensitive Authentication Data (SAD) are absolute and unforgiving. You are strictly prohibited from storing the Card Verification Value (CVV, CVC, or CID), the magnetic stripe data, or the Personal Identification Number (PIN) block, even if your system is encrypted. This rule exists because this data is not embossed on the card and is meant to be a one-time proof of possession during the transaction. If a merchant stores this data and a breach occurs, they are automatically deemed non-compliant with PCI DSS, regardless of any other security measures in place. The authorization process is designed to verify the data without needing to keep it, and your systems should mirror that design.
The Legal and Compliance Landscape
Beyond the technical standards of PCI DSS, regional laws impose additional layers of restriction on what payment card data you are allowed to store. Regulations such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States treat raw card data as highly sensitive personal data. These laws often require "data minimization," which aligns perfectly with PCI rules by limiting the storage duration and scope of the data. Furthermore, specific industries, such as e-commerce that use third-party payment pages, may find that storing any card data on their own infrastructure violates the terms of service of their payment processor, exposing them to fines beyond just the PCI assessment.
The Value of Tokenization and Vaults
More perspective on What payment card data are we allowed to store can make the topic easier to follow by connecting earlier points with a few simple takeaways.
