What Is Cardholder Data? Definition, Payment Flow, and Examples
Cardholder Data (CHD) is the PCI DSS data set centered on the PAN and potentially including cardholder name, expiration date, and service code. This guide focuses on CHD's real role, boundaries, and common points of confusion.
Key points
- Definition: Cardholder Data (CHD) is the PCI DSS data set centered on the PAN and potentially including cardholder name, expiration date, and service code.
- Flow position: PCI DSS sets security requirements for payment-account-data environments.
- Do not confuse: CHD / Sensitive Authentication Data
How it fits into the payment flow
For CHD, the relevant process is as follows: PCI DSS sets security requirements for payment-account-data environments. CHD centers at minimum on the full PAN, while SAD includes highly sensitive data used for authentication or authorization. Encryption protects content, masking limits display, and an HSM safeguards keys and performs cryptography.
A practical review of CHD should account for this: an organization should map data flows, scope, and responsibility before selecting access control, encryption, logging, vulnerability management, and key management. Evidence of compliance covers an assessed scope and point in time.
Practical example
A security team inventories systems storing a full PAN and whether name, expiration, or service code is also present. A last-four display and a database with full PAN have different exposure.
How it differs from related terms
| Term | Definition |
|---|---|
| Cardholder Data | is the PCI DSS data set centered on the PAN and potentially including cardholder name, expiration date, and service code |
| Sensitive Authentication Data | is a highly sensitive category used to authenticate cardholders or authorize transactions, such as full track data and card verification codes |
| Primary Account Number | is the principal card number carried in card credentials and used to identify the issuer range and the particular card-account relationship |
CHD focuses on the fact that it is the PCI DSS data set centered on the PAN and potentially including cardholder name, expiration date, and service code. Sensitive Authentication Data, by contrast, is a highly sensitive category used to authenticate cardholders or authorize transactions, such as full track data and card verification codes. They can appear in one transaction while answering different questions.
Use cases and limits
A key limit of CHD is the following: encrypted data does not automatically leave PCI DSS scope, and a masked display does not prove stored data is truncated. Restrictions on retaining SAD after authorization are especially strict.
Frequently asked questions
These answers address two common search questions about CHD.
Is it the same as Sensitive Authentication Data?
No. Cardholder Data (CHD) is the PCI DSS data set centered on the PAN and potentially including cardholder name, expiration date, and service code. Sensitive Authentication Data (SAD) is a highly sensitive category used to authenticate cardholders or authorize transactions, such as full track data and card verification codes. Compare the object, processing stage, and responsible party.
Does encryption automatically put a system out of PCI DSS scope?
For CHD, no. PCI SSC states that encryption alone is insufficient to remove cardholder data from scope; keys, access, and environmental relationships also matter.
These primary sources support the definition and process for CHD. Current product, network, and local rules still control a real transaction.