IT-8 Standard for Protection of Cardholder Data

In this article


This document establishes a formal standard for the protection of cardholder data within Cardholder Data Environments (CDE) and outlines the related requirements specified in the Payment Card Industry Data Security Standards (PCI DSS) that must be implemented into all UMD network infrastructures that are processing cardholder data.


Additional authority

The following standards help guide the content of this document: Payment Card Industry Data Security Standard - Requirement 3.



This standard applies to all UMD IT elements that are attached to a Cardholder Data Environment (CDE) network. All systems processing cardholder data full Primary Account Number (PAN) or full PAN plus any of the following: cardholder name, expiration date, service code, information from magnetic strip or card chip, and/or Personal Identification Number (PIN) must only be connected to a designated CDE network. Further, this standard also applies to all forms of storage media including paper.



Cardholder data must not be stored unless it is necessary to meet the needs of business and then only within the confines of the CDE network. Entities accepting payment cards are expected to protect cardholder data and to prevent its unauthorized use. It is crucial that organizations storing cardholder data render it unreadable.

NOTE: As a general rule, every PCI Standard should be reviewed annually and updated as needed to reflect changes to business objectives or the risk environment.




Guidelines for cardholder data elements

  Data Element Storage Permitted Render Stored Data Unreadable per 3.4
Cardholder Data Primary Account Number Yes Yes
Cardholder Name Yes No
Service Code Yes No
Expiration Date Yes No
Sensitive Authentication Data Full Track Data No Cannot store per 3.2
3 or 4 Digit Security Code No Cannot store per 3.2
PIN/PIN Block No Cannot store per 3.2