Comments on: PCI DSS v1.2.1 – No PAN, No Cardholder Data http://chaordicmind.com/blog/2009/08/12/pci-dss-v1-2-1-no-pan-no-cardholder-data/ Mixing childlike wonder with adultlike understanding Thu, 09 Feb 2012 14:50:58 +0000 hourly 1 http://wordpress.org/?v= By: Sam Rodriguez http://chaordicmind.com/blog/2009/08/12/pci-dss-v1-2-1-no-pan-no-cardholder-data/comment-page-1/#comment-299 Sam Rodriguez Wed, 16 Dec 2009 20:06:36 +0000 http://chaordicmind.com/blog/?p=93#comment-299 I recently underwent a PCI-GAP Analysis. I had to argue the point above because the analyst (QSA) had our whole company (and every PC in it!) in scope. v1.2.1 of the PCI DSS standard p.5 "PCI DSS Applicability Information" clearly indicates that Cardholder Name is an e l e m e n t of the Cardholder Data. I think they could have been equally clear of what constitute the PAN (other than the obvious). As it is not uncommon to store the cardholder name with the last four of the PAN - as in the CC receipt. I recently underwent a PCI-GAP Analysis. I had to argue the point above because the analyst (QSA) had our whole company (and every PC in it!) in scope.

v1.2.1 of the PCI DSS standard p.5 “PCI DSS Applicability Information” clearly indicates that Cardholder Name is an e l e m e n t of the Cardholder Data.

I think they could have been equally clear of what constitute the PAN (other than the obvious). As it is not uncommon to store the cardholder name with the last four of the PAN – as in the CC receipt.

]]> By: admin http://chaordicmind.com/blog/2009/08/12/pci-dss-v1-2-1-no-pan-no-cardholder-data/comment-page-1/#comment-115 admin Sat, 15 Aug 2009 21:41:06 +0000 http://chaordicmind.com/blog/?p=93#comment-115 Although it's very important to limit the amount of data on a system and restrict access to that data based on least privilege, this may not apply the way you think it does. I don't see how anyone can create a valid PAN based on just the last 4 digits. The name and expiration data have nothing to do with creating a valid PAN so they are irrelevant. Although it’s very important to limit the amount of data on a system and restrict access to that data based on least privilege, this may not apply the way you think it does.

I don’t see how anyone can create a valid PAN based on just the last 4 digits. The name and expiration data have nothing to do with creating a valid PAN so they are irrelevant.

]]> By: admin http://chaordicmind.com/blog/2009/08/12/pci-dss-v1-2-1-no-pan-no-cardholder-data/comment-page-1/#comment-114 admin Sat, 15 Aug 2009 21:38:50 +0000 http://chaordicmind.com/blog/?p=93#comment-114 Julio, you ask a very good question. We could debate the question of separation but why? The PCI DSS does not state that the name or expiration data need to be encrypted, just that they are "protected", which could mean a wide range of things. I would keep focusing on the PAN and how to secure it. Julio, you ask a very good question. We could debate the question of separation but why? The PCI DSS does not state that the name or expiration data need to be encrypted, just that they are “protected”, which could mean a wide range of things.

I would keep focusing on the PAN and how to secure it.

]]> By: Elba Stevenson http://chaordicmind.com/blog/2009/08/12/pci-dss-v1-2-1-no-pan-no-cardholder-data/comment-page-1/#comment-113 Elba Stevenson Fri, 14 Aug 2009 14:21:28 +0000 http://chaordicmind.com/blog/?p=93#comment-113 I'm in some agreement, BUT I have always said that you also need to not store or shoe the expiration date. There have been several examples where a valid PAN can be created using a combination of the last 4, Name and expiration date. So I have always advised, not showing, storing or transmitting the expiration date. I’m in some agreement, BUT I have always said that you also need to not store or shoe the expiration date. There have been several examples where a valid PAN can be created using a combination of the last 4, Name and expiration date. So I have always advised, not showing, storing or transmitting the expiration date.

]]> By: Julio Jones http://chaordicmind.com/blog/2009/08/12/pci-dss-v1-2-1-no-pan-no-cardholder-data/comment-page-1/#comment-108 Julio Jones Thu, 13 Aug 2009 14:02:32 +0000 http://chaordicmind.com/blog/?p=93#comment-108 Yes that is a very "minor" omission on their part! What would you consider "stored with"? Would name/exp need to be just in the same database, separate database same machine, different machines, etc? If a company stored the name and exp in one database and the PAN in a different database would they be considered "stored with" the PAN? The server would still be in scope, but would the name/exp. Great catch! Yes that is a very “minor” omission on their part! What would you consider “stored with”? Would name/exp need to be just in the same database, separate database same machine, different machines, etc? If a company stored the name and exp in one database and the PAN in a different database would they be considered “stored with” the PAN? The server would still be in scope, but would the name/exp. Great catch!

]]>