PAN Storage and the PCI DSS: Ensuring Secure Data Handling
If your business handles direct payments from customers, you might be holding PAN data – Primary Account Numbers – which is extremely sensitive data that, if leaked, can cause serious problems for your clients.
There are always occasions when you will need to store and process certain financial data. However, many businesses store PAN incorrectly, or in such a way that, while convenient, leaves it wide open to data leakage.
Let’s explore why PCI PAN data is so important, whether you should store it, and if you do need to retain PAN, how you should secure it to protect your customers, revenue, and reputation.
Understanding PAN and its Importance
PAN data specifically refers to unique numbers that identify payment accounts. Each PAN is unique to a specific payment card, which merchants, acquirers and issuers use to identify payment sources and types.
Typically, PANs break down into several sets of digits, which identify the card distributor or network, the bank or financial institution involved, the unique account number, and a check digit – which ensures all data preceding it is correct.
This information isn’t just useful to merchants and business owners, however. It’s incredibly lucrative data for hackers, who can use the PAN data to carry out fraudulent activities. Specifically, hackers who access this data can find out the issuer, bank, and customer from one number.
Therefore, for small businesses, storing PAN safely has never been more important. At the very least, this data should always be truncated or encrypted to prevent it from being exposed and used fraudulently.
Whether to Store PAN Data
Unless you have a very good reason to store PAN data for business reasons, we highly recommend you avoid retaining it. In fact, we’ve helped several of our customers rethink their financial data retention strategies on the basis of “is it really necessary?”
Many businesses store PAN data to help make their processes more efficient. Believing that PAN storage is necessary to support recurring payments and customer service requests. If you can avoid storing it, however, you’ll lower your security risks and reduce your PCI DSS compliance scope.
It’s a common misconception that you need to store all elements of your customers’ payment data to support processes, such as ‘Buy now, pick up later’, monthly subscription or membership payments, or ‘no show’ or no cancellation charging. In fact, it may be more beneficial for your payment security strategy if you refrain from storing PAN data at all.
PCI DSS Requirements for PAN Storage
If you do choose to store PAN data, in electronic or hard copy, you’ll need to follow compliance measures set out by the Payment Card Industry (PCI) in the PCI Data Security Standard, or PCI DSS. This global standard specifies a minimum baseline of technical and operational security practices to be met by all entities that store, process or transmit (or could impact the security of) cardholder data and/or sensitive authentication data. The defining factor for cardholder data is the PAN.
Compliance with the requirements of the PCI DSS helps to protect not only PAN data but also all other elements of cardholder data and/or sensitive authentication data held. Helping to protect the cardholders from data leakage and fraud – effectively holding businesses more accountable for their actions in relation to PAN data.
Any displays of the full PAN, on paper or on screen, must be restricted to only those people/roles with a legitimate business need to see it. Everyone else must only be able to see a masked card number, at most the BIN 1 and last four digits of the PAN. For hard copy PCI DSS compliance simply requires the paper media to be securely stored, accessible only to those with a business need and retained only as long as is required to meet identified legal, regulatory or business needs. These same requirements apply to PAN retained electronically, such as in databases, flat files, in logs or backups, but in addition the PAN must be rendered unreadable anywhere it is stored to ensure cleartext PAN cannot be read or recovered.
When no longer needed for business or legal reasons, all hard copy and electronic media with PAN must be destroyed by means that ensures it is unrecoverable and cannot be reconstructed.
Methods to Render PAN Unreadable
To make PAN data unreadable and unusable if compromised, PCI DSS mandates methods like strong encryption, truncation, tokenization, and hashing. We trust these techniques to either transform or partially remove the data so that it cannot be deciphered or reused by attackers.
Encryption
Encryption is a reversible process of converting PAN into an undecipherable code that’s impossible for attackers and leakers to crack. Strong encryption is based on industry-tested and accepted algorithms, along with cryptographic key lengths providing an effective key strength, and proper key-management practices to protect those keys.
Truncation
Truncation is a data removal process that where at most the BIN 2 and last four digits of the PAN are retained. Unlike masking, for protection of PAN on display, the truncation process removes a segment of the PAN completely. That means if data is leaked, PAN cannot be used, as it lacks the full set of digits.
Tokenization
Similar to encryption, tokenization takes the original PAN data and replaces it with a token string used as an alternative to or alias for the PAN. Depending on the tokenization process used it may or may not be possible for the entity storing a token to exchange it for the original PAN (de-tokenization). Tokenization relies on the computational infeasibility of determining the original PAN knowing only the token string value, a token is impossible to use if leaked.
Hashing
One-way hashing, specifically, is an irreversible process that, again, converts the entire PAN into a specific type of code. Doing this ensures that each PAN has a unique hash that cannot be translated.
Common Compliance Issues and How to Address Them
| PAN Storage Reason | Solution Example |
|---|---|
| Merchant is collecting and storing card data in order to process repeat, periodic or recurring monthly card payments. | Migrate to a payment processing method that supports tokenization. Merchant receives a ‘token’ (alias) after initial payment that is stored and re-used to submit subsequent payments (not to a schedule). For example, a Virtual Terminal that supports the set-up of scheduled, recurring or subscription payment plans for the customer. Or supports token creation for customers that can be used to submit ad hoc payments. Or, for an e-commerce website, integrate a payment gateway that supports tokenization and/or the set-up of scheduled, recurring or subscription payments. |
| Merchant is sending or receiving payment card data via email to guarantee or process deposit payments for bookings / reservations. | Implement a Pay by Link solution. Merchant takes only the order details via email. Merchant generates a Pay by Link URL for the customer order and responds to customer via email, text, social media with their unique Pay by Link URL, customer pays online via a secure PCI DSS compliant third-party hosted payment page. |
| Merchant wants to offer a streamlined online checkout process, allowing customers the ability to register and store their card details on their account. | Amend website e-commerce integration method to one that is SAQ A eligible and supports tokenization. Card details submitted to tokenization provider and merchant receives a ‘token’ (alias) that can be re-used by the customer for subsequent payments. No card data needs to be stored by merchant. |
| Merchant needs to confirm final transaction cost or that goods are in stock before charging the customer’s card. | Integrate merchant website with e-commerce payment gateway that supports 'delayed dispatch' (authorize on purchase and capture on dispatch). No card data needs to be stored by merchant. |
Benefits of Avoiding PAN storage
While there is a cost associated with changing payment processing method, migrating to a new payment solution, or taking other actions to avoid PAN storage, it must be noted that businesses choosing to make these changes often also benefit from simplified, easier and cheaper PCI DSS compliance.
Businesses no longer storing PAN, reducing risk and their PCI DSS assessment scope, can experience the following benefits:
- Achieve eligibility for one of the smaller merchant self-assessment questionnaires (SAQs)
- Reduce where and how PCI DSS requirements apply to their business
- Reduce the number and necessary technical expertise of the people needed to achieve and maintain PCI DSS compliance
- Realize savings in time and money spent on compliance efforts while improving the security of their customers’ payment card data.
Consequences of Non-Compliance
If you are not compliant with the PCI DSS, there are a number of implications including the potential for non-compliance charges to be levied by your acquirer(s) / merchant services provider and being at greater risk of a card data breach.
Payment card data is also Personally Identifiable Information (PII) and failure to have appropriate technical and organizational measures in place to ensure the protection of that personal data is also a breach of the EU’s General Data Protection Regulation (GDPR) and may put your business in breach of other personal data regulations, such as the California Consumer Privacy Act (CCPA) in the U.S., the Personal Information Protection Act (PIPEDA) in Canada, and the Protection of Personal Information Act (POPI) in South Africa.
Beyond fines and penalties, users whose PAN data are stolen or leaked and who experience fraudulent activity as a result may be able to take legal action against you. That amounts to additional costs, loss of revenue, and further reputational damage.
The bottom line is this – to avoid extending your compliance scope, avoid storing PAN data wherever possible. However, if you absolutely must keep this information on board, always comply with the PCI DSS and take steps to make PAN unreadable anywhere it is stored.
A good way to start protecting your financial data and general security is to consult with a leading cybersecurity expert.
VikingCloud is here to help you plan ahead for compliance demands, cybersecurity risks, threat response, and more. Contact us now to find out how we can help you keep on the right side of compliance with the PCI DSS.
Related Blogs
Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.
VikingCloud 2026 SMB Threat Landscape Report: Cyber Risk Rises and the Human Cost Grows
.png)