According to Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) there is a
requirement to “protect stored cardholder data.” Which of the following items cannot be stored by the
merchant?

A.
Primary Account Number

B.
Cardholder Name

C.
Expiration Date

D.
The Card Validation Code (CVV2)

Explanation:
Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) is to “protect stored
cardholder data.” The public assumes merchants and financial institutions will protect data on payment cards to
thwart theft and prevent unauthorized use.
Requirement 3 applies only if cardholder data is stored. Merchants who do not store any cardholder data
automatically provide stronger protection by having eliminated a key target for data thieves.
For merchants who have a legitimate business reason to store cardholder data, it is important to understand
what data elements PCI DSS allows them to store and what measures they must take to protect those data. To
prevent unauthorized storage, only council certified PIN entry devices and payment applications may be used.
PCI DSS compliance is enforced by the major payment card brands who established the PCI DSS and the PCI
Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard
Worldwide and Visa Inc.
PCI DSS Requirement 3
It details technical guidelines for protecting stored cardholder data. Merchants should develop a data retention
and storage policy that strictly limits storage amount and retention time to that which is required for business,
legal, and/or regulatory purposes.
Sensitive authentication data must never be stored after authorization – even if this data is encrypted.
Never store full contents of any track from the card’s magnetic stripe or chip (referred to as full track, track,
track 1, track 2, or magnetic stripe data). If required for business purposes, the cardholder’s name, PAN,
expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS
requirements.
Never store the card-validation code (CVV) or value (three- or four-digit number printed on the front or back
of a payment card used to validate card-not-present transactions).
Never store the personal identification number (PIN) or PIN Block. Be sure to mask PAN whenever it is
displayed. The first six and last four digits are the maximum number of digits that may be displayed. This
requirement does not apply to those authorized with a specific need to see the full PAN, nor does it
supersede stricter requirements in place for displays of cardholder data such as in a point-of-sale receipt.
Incorrect Answers:
A: The Primary Account Number can be stored by the merchant according to the PCI Data Storage Guidelines.
B: The Cardholder Name can be stored by the merchant according to the PCI Data Storage Guidelines.
C: The Expiration Date can be stored by the merchant according to the PCI Data Storage Guidelines.

https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf