Frequently Asked Question

No. Only the Primary Account Number (PAN) must be rendered unreadable when it is stored, in accordance with Requirement 3.5.1. Other elements of cardholder data, such as cardholder name, expiration date, or service code, do not need to be rendered unreadable, even if stored with the PAN.

However, if these elements are stored, processed, or transmitted with the PAN or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with the PCI DSS requirements applicable to cardholder data.— such as network security controls, access controls, vulnerability management, and other security measures.

Please refer to the “PCI DSS Applicability Information” section of PCI DSS v4.0.1 for more details.