RD Virtual Card
RD Virtual Card

What Is Sensitive Authentication Data? Definition, Payment Flow, and Examples

Quick answer

Sensitive Authentication Data (SAD) is a highly sensitive category used to authenticate cardholders or authorize transactions, such as full track data and card verification codes. This guide focuses on SAD's real role, boundaries, and common points of confusion.

Last updated: 2026-07-14 · RDVCC Payments Research

Key points

  • Definition: Sensitive Authentication Data (SAD) is a highly sensitive category used to authenticate cardholders or authorize transactions, such as full track data and card verification codes.
  • Flow position: PCI DSS sets security requirements for payment-account-data environments.
  • Do not confuse: SAD / Cardholder Data

How it fits into the payment flow

For SAD, the relevant process is as follows: PCI DSS sets security requirements for payment-account-data environments. CHD centers at minimum on the full PAN, while SAD includes highly sensitive data used for authentication or authorization. Encryption protects content, masking limits display, and an HSM safeguards keys and performs cryptography.

A practical review of SAD should account for this: an organization should map data flows, scope, and responsibility before selecting access control, encryption, logging, vulnerability management, and key management. Evidence of compliance covers an assessed scope and point in time.

Practical example

After authorization, a merchant removes CVV and other sensitive authentication data from systems and debug logs. Encryption of a database field does not permit continued retention.

How it differs from related terms

TermDefinition
Sensitive Authentication Datais a highly sensitive category used to authenticate cardholders or authorize transactions, such as full track data and card verification codes
Cardholder Datais the PCI DSS data set centered on the PAN and potentially including cardholder name, expiration date, and service code
CVV/CVCis a short card security value commonly checked in card-not-present payments and is not the cardholder's PIN

SAD focuses on the fact that it is a highly sensitive category used to authenticate cardholders or authorize transactions, such as full track data and card verification codes. Cardholder Data, by contrast, is the PCI DSS data set centered on the PAN and potentially including cardholder name, expiration date, and service code. They can appear in one transaction while answering different questions.

Use cases and limits

A key limit of SAD is the following: encrypted data does not automatically leave PCI DSS scope, and a masked display does not prove stored data is truncated. Restrictions on retaining SAD after authorization are especially strict.

Frequently asked questions

These answers address two common search questions about SAD.

Is it the same as Cardholder Data?

No. Sensitive Authentication Data (SAD) is a highly sensitive category used to authenticate cardholders or authorize transactions, such as full track data and card verification codes. Cardholder Data (CHD) is the PCI DSS data set centered on the PAN and potentially including cardholder name, expiration date, and service code. Compare the object, processing stage, and responsible party.

Does encryption automatically put a system out of PCI DSS scope?

For SAD, no. PCI SSC states that encryption alone is insufficient to remove cardholder data from scope; keys, access, and environmental relationships also matter.

Related glossary terms
Primary sources

These primary sources support the definition and process for SAD. Current product, network, and local rules still control a real transaction.