Frequently Asked Question

Is storage of truncated PAN considered storage of “cardholder data” per the SAQ eligibility criteria?

An entity that receives and stores only truncated PAN does not need to consider this storage of cardholder data for the purposes of the SAQ eligibility criteria.

Merchants must meet all the defined eligibility criteria for a particular SAQ in order to use that SAQ.  Merchants should consult with their acquirer or the payment brands directly (as applicable) to determine which SAQ they should use. Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?.

See also FAQ #1117 Are truncated Primary Account Numbers (PAN) required to be protected in accordance with PCI DSS?

January 2015
Article Number: 1315