Back in July, in response to a number of queries, I wrote about what level of protection is required to meet PCI compliance requirements when other elements of cardholder data are stored with the PAN.
I wrote that only the PAN needs to be encrypted/hashed (or otherwise made unreadable) and that other elements such as cardholder name, expiry date or service code need not be made unreadable. I received a bunch of feedback from people (QSAs and others) saying that I had understood the requirements wrong and that I was giving bad advice.
This was even after I pointed to the FAQ on the PCI SSC website that backed my stand. Well, version 2.0 of the PCI DSS requirements was released a few days ago and it contains the following clarification:
If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with all PCI DSS requirements except Requirements 3.3 and 3.4, which apply only to PAN.
Requirements 3.3 addresses masking PAN and requirement 3.4 addresses rendering PAN unreadable by either encrypting or hashing it.
Hopefully, this will lay to rest the question of whether the other elements of cardholder data needs to be made unreadable.
PCI DSS v2 also clarifies what constitutes
Primary Account Number, Cardholder Name, Expiration Date, Service Code
Sensitive Authentication Data:
Full magnetic stripe data or equivalent on a chip, CAV2, CVC2, CVV2, CID
Cardholder data + Sensitive Authentication Data