PCI DSS Compliance - Storing Credit Card Data

Firstly, what is PCI DSS? If you’ve worked in Ecommerce at all, there’s a good chance you’ve heard the term “PCI DSS compliant” tossed around. PCI DSS stands for the Payment Card Industry Data Security Standard. This standard was developed to improve protection for credit card holders by enforcing vendors to adhere to a specific set of guidelines for storing, processing, and transmitting cardholder data. With the massive growth and convenience in Ecommerce, it’s difficult not to buy online. Online shopping, like anything else on the web, is never completely safe, but with the knowledge that the cart you are punching your credit card number into is PCI DSS compliant, you’ll have more of that warm fuzzy feeling inside.

Second, a little history. PCI DSS was created on December 15, 2004 by the Payment Card Industry Security Standards Council (PCI SSC), another awesomely long acronym, consisting of 5 major players in the credit card biz – Visa, Mastercard, American Express, Discover, and the JCB (Japan Credit Bureau). Each company originally had their own programs established, but came to realize all had similar motives. They came together to develop a universal set of standards, and PCI DSS was born.

As a web developer working on implementing a new shopping cart, there have been many questions about the dos and don’ts on storing credit card info. Storing any kind of credit card information can potentially be a security risk, but at the same time can also significantly improve the user experience in a cart leading to more sales, return traffic, etc.. The following chart comes from the Payment Application Data Security Standard (PA-DSS), which is derived from the PCI DSS. The chart depicts which and how credit card data can be stored.

Basically, no sensitive authentication data can ever be stored. Cardholder data may be stored with one exception. The Primary Account Number (PAN) must be unreadable according to DSS Requirement 3.4. After referring to Requirement 3.4, the PAN may only be stored using “Strong Cryptography”.

Strong Cryptography Definition

Both images were pulled straight from the PCI SSC specs.

Fulfilling all of the requirements of the PA-DSS does not make your cart PCI DSS compliant. You will also need the cart installed in a PCI DSS friendly environment (a story for another time), but it’s a necessary step in the process.