In the last couple of years, new and emerging business models, requirements, and workflows have...
When merchants accept credit card payments, they also must consider what happens after the transaction is authorized. Can they store the card data? Should they?
Knowing that maintaining PCI compliance is the ever-present overlay to payments, merchants should be rightfully hesitant to use cardholder data past the point of transaction. That is, unless they store the data securely and compliantly.
Should Cardholder Data Be Stored?
In many cases, yes.
The decision on whether to store cardholder data can be dependent on a merchant’s business need, such as the ability to route or split incoming payments, and on the company’s appetite for risk.
Many times, merchants will want to store cardholder data, whether in-house through an internal Cardholder Data Environment (CDE) or externally with a partner that hosts a CDE on the merchant’s behalf.
How Do CDEs Work?
A CDE consists of every system with access to cardholder data within an organization’s IT environment, including those that manage authentication data for that environment.
Examples of systems commonly found within a CDE include the following:
- Servers
- Point of Sale (POS) Systems
- Network infrastructure
- Applications
These CDEs have specific and detailed requirements they must adhere to in order to store credit card data securely. The Payment Card Industry Data Security Standard (PCI DSS) mandates that the systems that transmit and store credit card details meet the 12 requirements and their over 300 sub-requirements, including a specialized CDE.
Can Cardholder Data Be Stored Securely?
Yes, absolutely.
Cardholder data must always be stored securely and in adherence to strict compliance and industry standards because it is “in-scope” for PCI DSS 4.0.
Failure to properly store data can be expensive, costing businesses up to $100,000 monthly for non-compliance. Aside from the fines, reputation loss, higher insurance costs, and even customer lawsuits typically follow suit.
What Does PCI Scope Mean? What’s In Scope?
The choice of in- or out-of-scope regarding PCI DSS compliance is not binary.
There are, in fact, three designations for systems:
- In-scope: any system with direct access to collect, store, or transmit cardholder data. Any element of your payment structure that, at any time, has access to PII in plain text is unequivocally in-scope and is known as being in the Cardholder Data Environment (CDE).
- Connected-to: any system that connects to the CDE without being directly involved in credit card details or processing transactions.
- Out-of-scope: any system that has no access to the CDE.
Note that each business is also responsible for the scope and compliance of its partners: for instance, storing PII on a cloud server would require the merchant to ensure that the cloud provider, and that the interfaces between provider and merchant, were fully PCI compliant.
How to Store Credit Card Data Securely: Options
Generally speaking, merchants have two routes to store their credit card data securely: through a third-party service provider or in-house.
Third-Party Service Providers
Third-Party service providers can help with the implementation, maintenance, and attestation required to maintain a compliant CDE.
Today, there are three types of Service Providers:
- Payments Service Providers (PSPs) bundle a core offering with payment processing services, allowing merchants to quickly and easily accept payments.
- Card issuing platforms use their core offering and card issuers (i.e., banks) to generate cards for their customers' end users.
- Tokenization platforms provide a core infrastructure without card processing or issuing services.
In-House CDE Solution
Hosting your compliant CDE can provide efficiencies in terms of costs, system transparency, and integrations that some service providers, especially payment and card-issuing providers, cannot.
Setting up a cardholder data environment to store credit cards isn’t rocket science. Still, getting something valuable and compliant requires significant knob-turning, socializing, documentation, decisions, and configuration.
This includes, but is not limited to:
- identifying and implementing solutions and vendors,
- segmenting and setting up infrastructure and firewalls,
- developing and administering training and policies, and more.
What Can and Cannot be Stored in a CDE?
PCI DSS breaks cardholder data into a few different categories, and some data can and cannot be stored within a CDE’s database.
Companies are allowed to store the following types of cardholder data in a CDE:
- Primary Account Number (PAN)
- Expiration Date
- Cardholder Name
- Service Code
While this information is useful for tracking accounts, it is not enough to perform payments unilaterally. To do so, an organization may also need sensitive authentication data (SAD), which includes the following:
- Full data stored on the card’s magnetic strip
- CAV2/CVV2/CID
- PIN
SAD is collected from a cardholder during payment and forwarded to the processor, but companies are prohibited from storing it, unlike cardholder data. This helps limit the risk of fraud since an attacker or malicious user lacks the information necessary to perform unauthorized transactions.
Which CDE Configurations are Right for Your Business?
All organizations have two options for building a cardholder data environment for secure data storage: build a solution in-house or buy.
Selecting the right option is important, but requires a significant amount of research, planning, and organization to achieve.
As a PCI Level 1 compliant service provider, Basis Theory extends an independently assessed and approved CDE (Secure Token Vault) to customers. Combined with a suite of configurable tools, services, and tokens, merchants can collect, secure, and share credit cards without bringing their systems into scope.
This approach allows companies to avoid the costs and distractions associated with many of the PCI requirements while retaining complete control over their cardholder data.
If you would like to learn more about the CDE options available to you, reach out to our payment experts and we’ll walk you through all your options.
