Wednesday, October 24, 2007

PCI DSS Applicability Information

* These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.

** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).


  1. Hey Hi,

    How do you get about making it mandatory for your projects to comply these?

    The prob I am facing is we have enuf awareness, but people are not willing to comply bcoz of time crunch.

  2. Hi Dharmesh,
    How are you doing ?

    I am a PCI DSS QSA and a PA-QSA. Encryption is mandatory only for the PAN number. Although it can be extended to the other data elements. PCI DSS is typically for the infrastructure. PA-DSS would be applicable for a particular payment application which is storing, transmitting, processing cardholder data during authorization or settlement.

  3. This information is very helpful. It really helps me understand more about PCI DSS. Keep posting. Will certainly try doing that myself. Your post/article really helped. Thanks a lot.