Frequently Asked Question
Is storage of truncated PAN considered storage of “cardholder data” per the SAQ eligibility criteria?
An entity that receives and stores only truncated PAN does not need to consider this storage of cardholder data for the purposes of the SAQ eligibility criteria.
Merchants must meet all the defined eligibility criteria for a particular SAQ in order to use that SAQ. Merchants should consult with their acquirer or the payment brands directly (as applicable) to determine which SAQ they should use. Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?.
See also FAQ #1117 Are truncated Primary Account Numbers (PAN) required to be protected in accordance with PCI DSS?
Featured FAQ Articles
Most Recently Updated
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?