No storage of full PAN / SAD beyond what is allowed
Demonstrate that the organization does not store full PAN or sensitive authentication data beyond PCI DSS-permitted use cases, and that technical and procedural controls enforce immediate deletion or masking post-authorization.
Description
What this control does
This control prohibits the storage of full Primary Account Numbers (PAN), magnetic stripe data, CAV2/CVC2/CVV2 codes, and PINs beyond the timeframes explicitly permitted by PCI DSS (e.g., for authorization purposes only). Organizations must implement technical controls such as truncation, hashing, tokenization, or encryption to prevent unauthorized retention of full cardholder data post-authorization. Data retention policies, automated purge routines, and system configurations must enforce immediate deletion or masking of sensitive authentication data (SAD) after transaction completion. This control is foundational to reducing the scope of cardholder data environments and limiting exposure in the event of a breach.
Control objective
What auditing this proves
Demonstrate that the organization does not store full PAN or sensitive authentication data beyond PCI DSS-permitted use cases, and that technical and procedural controls enforce immediate deletion or masking post-authorization.
Associated risks
Risks this control addresses
- Attackers exfiltrating full PANs from databases, logs, or backups due to unnecessary long-term storage, enabling card-not-present fraud
- Exposure of magnetic stripe data (track data) or CVV2 codes stored in violation of PCI DSS Requirement 3.2, facilitating card cloning or fraudulent transactions
- Insiders or malicious actors retrieving stored PINs or PIN blocks from systems, leading to ATM fraud or account takeover
- Compliance violations resulting in acquirer fines, loss of card processing privileges, or mandatory forensic investigations following a breach
- Retention of cardholder data in application logs, error messages, or debugging output creating unintended data stores outside formal CDE boundaries
- Backup systems or archived data retaining prohibited data elements indefinitely, expanding breach surface area and discovery scope
- Third-party service providers storing prohibited data on behalf of the organization without proper contractual controls or oversight
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's data retention and disposal policy specific to cardholder data and sensitive authentication data, noting permitted storage durations and data elements.
- Identify all systems, applications, databases, and storage locations within the cardholder data environment (CDE) that process, transmit, or could potentially store PAN or SAD.
- Select a representative sample of databases, application servers, file systems, and backup repositories for inspection, ensuring coverage of production, test, and archive environments.
- Execute automated or manual scans using PAN discovery tools or database queries to search for unmasked PANs, track data, CVV2 codes, and PIN data across sampled systems.
- Review application code, logging configurations, and error-handling routines to verify that full PAN and SAD are not written to logs, debug files, or temporary storage.
- Interview system administrators and developers to confirm procedures for immediate deletion or truncation of SAD following authorization, and validate supporting evidence such as purge job logs or configuration scripts.
- Examine a sample of cardholder data records post-authorization to verify truncation, tokenization, or masking is applied and that no prohibited data elements (magnetic stripe, CVV2, PIN) are present.
- Review backup and archive policies and test restoration procedures to confirm that prohibited data is either excluded from backups or securely purged according to retention schedules.
Where this control is tested