Table of contents
Intro to PCI CompliancePCI Compliance: A Deep DivePCI Compliance Checklist for 2019What is PCI DSS compliance?What is PCI-SPoC Compliance?What are the consequences for noncompliance?What does it cost to be PCI compliant?
Violating PCI compliance can lead to hefty fines for you and your business. Learn more about PCI DSS Compliance and see how Square protects you- for free.
Intro to PCI Compliance
When it comes to a growing business, the safety and security of your and your customers’ sensitive information and data is likely top of mind—especially when it comes to payments.
New advances in commerce and payments technology are often accompanied by new rules and regulations to help ensure that both businesses and consumers are protected. Enter the Payment Card Industry Data Security Standard (PCI DSS), a standard put forth by the five largest credit card companies to help reduce costly consumer and bank data breaches.
Understanding PCI DSS compliance can feel overwhelming for business decision makers. In this guide, we break down the need-to-knows of PCI DSS compliance and walk you through the steps you need to safeguard your business and customers.
FAQ: Six Frequently Asked Questions About PCI Compliance
What does PCI DSS compliance mean?
PCI DSS stands for Payment Card Industry Data Security Standard, which sets the requirements for organizations and sellers to safely and securely accept, store, process, and transmit cardholder data during credit card transaction to prevent fraud and data breaches.
Who needs PCI DSS compliance certification?
Although there is technically no such thing as “PCI certification,” sellers of all sizes, service providers, banks, and any other organizations that process credit card payments need to prove they are PCI compliant.
What are the PCI DSS compliance levels?
There are four levels of PCI compliance; each level has unique requirements for a business to validate its compliance. The level under which your business falls is based on your total transaction volume, annually.
What does it cost to be PCI DSS compliant?
The fees to become PCI compliant, and maintain that standing annually, can range from approximately $1,000 annually to over $50,000 annually, depending on the size of your business.
Am I responsible for a PCI DSS Compliance Self-Assessment Questionnaire (SAQ)?
The PCI DSS Self-Assessment Questionnaire is a checklist ranging from 19 to 87 pages, created and distributed by the PCI Security Standards Council. It’s used as a mechanism for sellers to self-validate their PCI DSS compliance. Square does not require sellers to complete an SAQ, or to self-validate, since Square’s hardware and software complies with the Payment Card Industry Data Security Standard (PCI DSS).
Is there a PCI noncompliance fee?
Yes, there are typically fees associated with PCI noncompliance. If your business does not comply with PCI standards, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more.
Learn more -/^
Save time with business tools that work together — and work for you
Learn more -/^
PCI Compliance: A Deep Dive
Square seller or not, it’s still a good idea to understand PCI compliance, since adhering to it is part of protecting the safety of your customers’ financial information and your business.
PCI Compliance Checklist for 2019
|1||Install and maintain a firewall configuration to protect cardholder data.|
|2||Do not use vendor-supplied defaults for system passwords and other security parameters.|
|3||Protect stored cardholder data.|
|4||Encrypt transmission of cardholder data across open, public networks.|
|5||Use and regularly update anti-virus software.|
|6||Develop and maintain secure systems and applications.|
|7||Restrict access to cardholder data by business need-to-know.|
|8||Assign a unique ID to each person with computer access.|
|9||Restrict physical access to cardholder data.|
|10||Track and monitor all access to network resources and cardholder data.|
|11||Regularly test security systems and processes.|
|12||Maintain a security policy and ensure that all personnel are aware of it.|
This PCI compliance checklist was retrieved in July 2018 and may not be up to date, so be sure you’re compliant by selling with Square or by visiting the PCI Security Standards Council website.
Understanding the history of the Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) was born in 2006, just as the Internet emerged as a necessary and valuable tool for businesses of all sizes. As the Internet era began to reach maturity, companies that chose to leverage its power began bringing their payment processing systems online, connecting them wirelessly to both their physical and virtual terminals. Meanwhile, consumers grew more comfortable using credit cards to make purchases both online and off.
The historical relevance of these security standards is critical to how and why PCI standards evolved. These new avenues of commerce exposed businesses and consumers to more and more risks—and the opportunity for fraudsters to steal credit card information from insecure networks and payment systems became more prevalent.
As a response to increasing data theft, the five largest credit card brands—Visa, MasterCard, Discover, American Express, JCB—implemented the Payment Card Industry Data Security Standard (PCI DSS) to prevent costly consumer and bank data breaches. It was with the advent of this regulation, and the PCI Security Standards Council, that PCI compliance became—and still is—an important step in regulating the security of the credit card payment industry.
To help with managing compliance standards, the payment brands also established the PCI Security Standards Council as an independent body, meant to “monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals.”
It’s important to note, however, that the credit card companies made PCI compliance a self-regulated mandate—meaning they shifted the liability of maintaining compliance for all parts of the payment processing life cycle to sellers and organizations.
So, while the Council is responsible for setting the standards and establishing requirements for sellers to adhere to—such as PCI-compliant applications and self-assessment questionnaires (SAQs) or checklists—the payment brands are responsible for enforcing them among sellers and organizations that accept credit cards.
Before we begin to explore PCI compliance standards in more depth, it’s important to note that by and large, credit cards are safe—and, thanks to new rules and standards like EMV chip cards, they are getting even more secure (we’ll talk more about that later). But even the biggest brands can still be at risk for large data breaches related to credit cards.
Whether you’re an enterprise corporation or have a small side-business, you’ve probably heard the term PCI DSS. By maintaining PCI compliance, you can help defend your business against hackers who can get hold of sensitive cardholder data and use it to impersonate cardholders or steal their identity.
What is PCI DSS compliance?
The Payment Card Industry Data Security Standard (PCI DSS) refers to payment security standards that ensure all sellers safely and securely accept, store, process, and transmit cardholder data (also known as your customers’ credit card information) during a credit card transaction.
Any merchant with a merchant ID that accepts payment cards must follow PCI-compliance regulations to protect against data breaches. The requirements (mentioned in the PCI compliance checklist above) range from establishing data security policies for your business and employees to removing card data from your processing system and payment terminals.
“Cardholder” or payment data covers information such as the full primary account number (PAN), the cardholder’s name, and the credit card service code and expiration date. Sellers are also responsible for protecting sensitive authentication data in the magnetic-stripe data (e.g., CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and more).
The credit card diagram above displays where unique and sensitive cardholder data is contained in a credit card. Organizations that collect, process, store, or transmit payment card transactions must complete and maintain the rigorous processes of verifying PCI compliance. It is important to note that entities involved with payment card transactions must never store sensitive authentication data after authorization. Do not store sensitive authentication data after authorization. This includes the 3 or 4 digit security code printed on the front or back of a card, the data stored on a card’s magnetic stripe or chip (also called “Full track data”), or personal identification numbers (PIN) entered by the cardholder.
PCI standards apply to:
- Card readers
- Point-of-sale systems
- Store networks and wireless access routers
- Payment card data storage and transmission
- Payment card data stored in paper-based records
- Online payment applications and shopping carts
As you can probably guess, becoming PCI compliant and maintaining that compliance can be a complex process; it can involve implementing security controls, hiring a pricey third-party consultant to install costly software and hardware, and signing an expensive and binding contract under which you agree to the bank’s terms for annual PCI compliance, completing annual self-assessments, and more.
Please refer to the PCI Small Merchant Guide to Safe Payments to learn more about how to better protect payment card data and your business.
See how -/^
Manage your inventory for free
See how -/^
What is PCI-SPoC Compliance?
PCI-SPoC is a standard that applies to apps running on your devices (iPad, mobile phone) that may need to accept PINs to complete transactions. Square takes these apps through a rigorous certification process to ensure the integrity of all data that resides in the apps. There are a few steps that we ask you to keep in mind.
What are the PCI compliance levels and requirements?
If your business accepts payment cards with any of the five members of the PCI SSC credit card brands (American Express, Discover, JCB, MasterCard, and Visa), then you are required to be PCI compliant within various levels, as determined by your transaction volume.
Sixty-five percent of small businesses miss the mark on minimum compliance requirements.
Keep in mind, not all compliance reporting requirements are the same—they can differ based on your processing volume. For example, sellers with a higher volume of transactions (as described in the matrix below) are required to work with internal security assessors (ISAs), qualified security assessors (QSAs), and PCI-approved scan vendors (ASVs).
There are four different levels of compliance; these levels stipulate the requirements for which sellers are responsible. The PCI Council deems the pass mark is compliance with 100 percent of criteria. Because of this complicated responsibility, many larger companies choose to work with a PCI-compliance consultant on standards and how to meet these PCI-compliant level requirements.
Every seller falls into one of the four categories depending on their transaction volume during a 12-month period. While each credit card brand has its own slightly different criteria, generally the PCI-compliance levels are as follows*:
PCI compliance levels
|Merchant Level||Applicable to||PCI Requirements*|
|1||Sellers that process over 6M transactions per year, any merchant that has had a data breach or attack that resulted in an account data compromise, and any merchant identified by any card association as Level 1.||Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), also commonly known as a Level 1 onsite assessment, or internal auditor if signed by officer of the company. Quarterly network scan by Approved Scan Vendor (ASV). Attestation of Compliance form.|
|2||Sellers that process 1M to 6M transactions per year.||Complete the PCI DSS Self-Assessment Questionnaire according to the intstructions it contains. Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool). Submit the SAQ evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.|
|3||Sellers that process 20,000 to 1M eCommerce transactions per year.||Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains. Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool). Submit the SAQ, evidence of a passing scan (if applicable), and the Attestaton of Compliance, along wiht any other requested documentation, to your acquirer.|
|4||Sellers that process fewer than 20,000 eCommerce transactions and all other sellers that process up to 1M transactions per year.||Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains. Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool). Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.|
*Each of the five payment brands has its own data security programs that require merchants to safeguard credit card processing data. Here’s a helpful example of Visa’s PCI DSS requirements.
What are the consequences for noncompliance?
If you don’t know the rules around PCI compliance or the consequences for being noncompliant, you’re not alone.
While PCI compliance is not a law, that doesn’t mean being out of compliance isn’t a big deal. In fact, a 2019 Verizon Data Breach Incident Report found that there were almost 42,068 data security incidents this year. So it’s more important than ever that your payment processing life cycle is secure.
If your business does not comply with PCI standards, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more if a breach occurs.
In fact, 30% percent of small businesses report that they don’t know the penalties for noncompliance with PCI DSS 3.0.
Penalties are not highly publicized, but they can be destructive for businesses. For example, if your company violates PCI-compliance standards, credit card brands may levy fines from $5,000 to $100,000 per month to your acquiring bank. The banks often pass this cost along to the merchant and can terminate contracts or increase fees for transactions, in response to breaches and violations
Aside from the financial cost, there are also other potential liabilities that could affect your business. According to PCI Security Standards, failing to comply with PCI standards and resulting data breaches could result in:
- Lost confidence, so customers go to other merchants
- Diminished sales
- Cost of reissuing new payment cards
- Fraud losses
- Higher subsequent costs of compliance
- Legal costs, settlements, and judgments
- Fines and penalties
- Termination of ability to accept payment cards
- Lost jobs (CISO, CIO, CEO, and dependent professional positions)
- Going out of business
What does it cost to be PCI compliant?
Becoming and maintaining a PCI-compliant business can be costly, depending on the type and size of your company and the compliance level to which you are held.
By level, the costs typically range from:
Level 4: $60 to $75 per month and up
Your cost includes an Approved Scanning Vendor (ASV), who should complete a regular network or website scan, and completion of a Self-Assessment Questionnaire (SAQ) and Attestation of Compliance by you or your staff.
Level 3: $1,200 a year and up
Your costs include regular scans by ASVs and increase based on the size of your computer network and number of IP addresses, plus the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance.
Level 2: $10,000 a year and up
Your costs include regular scans by ASVs and increase based on the size of your computer network and number of IP addresses, plus the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance.
Level 1: $50,000 a year and up
Your costs include a regular network scan by an Approved Scanning Vendor, an annual Report on Compliance by a Qualified Security Assessor, and an Attestation of Compliance.
Watch out for predatory service providers that charge expensive fees but only satisfy a portion of your PCI requirements.
Square takes care of PCI compliance for your business
Square complies with the Payment Card Industry Data Security Standard (PCI DSS) so you do not need to individually validate your state of compliance.
Our hardware/readers have end-to-end encryption out of the box with no configuration required and at no additional cost—without monthly fees or annual assessment requirements. We maintain PCI compliant software at no additional cost to you, with no monthly contracts or long-term commitments. Providing you use Square for all storage, processing, and transmission of your customers’ card data, you don’t need to take any steps to validate your PCI compliance to Square, and you don’t need to pay any PCI-compliance fees.
Square is the merchant of record for every transaction. We deal with the banks on your behalf including PCI compliance, regulation, and processing. We advocate on your behalf to make sure that simple errors, honest mistakes, and disputes are resolved equitably.
Square’s technical approach to security is also designed to protect both you and your customers. We adhere to industry-leading PCI standards to manage our network, secure our web and client applications, and set policies across our organization. Square’s integrated payment system provides end-to-end encryption for every transaction at the point of swipe, dip, or tap and tokenizes data once it reaches our servers. Plus, we monitor every transaction from acceptance to payment, continuously innovate in fraud prevention, and protect your data like our business depends on it—because it does.
What do I need to know about PCI compliance? ›
- Install and maintain a firewall. ...
- Change vendor-supplied default passwords and security settings. ...
- Protect stored cardholder data. ...
- Encrypt cardholder data when transmitting it across open, public networks. ...
- Use and regularly update antivirus software.
Level 1: Merchants processing over 6 million card transactions per year. Level 2: Merchants processing 1 to 6 million transactions per year. Level 3: Merchants handling 20,000 to 1 million transactions per year. Level 4: Merchants handling fewer than 20,000 transactions per year.What are the six principles of PCI compliance known as? ›
6 PRINCIPLES OF PCI DSS
Build and maintain a secure network and systems. Protect cardholder data. Maintain a vulnerability management program. Implement strong access control measures.
- Maintain a firewall – protects cardholder data inside the corporate network.
- Passwords need to be unique – change passwords periodically, do not use defaults.
- Protect stored data – implement physical and virtual measures to avoid data breaches.
- Challenge 1: All requirements are mandatory. ...
- Challenge 2: PCI-DSS is very technical. ...
- Challenge 3: There is a lot of organizational pressure involved in certification. ...
- Challenge 4: Competency Gap. ...
- Challenge 5: Correct Scope Definition.
- Complete a Risk Assessment. ...
- Document Policies and Procedures. ...
- Identify Compliance Gaps. ...
- Conduct Training to Educate Employees. ...
- Perform Maintenance.
PCI DSS Requirement 8 is all about assigning and managing individual user IDs and the necessary logical access controls to restrict access to an entity's system components. This requirement enforces minimum password complexity settings and proper user credential handling procedures.How many controls are there in PCI? ›
The Main PCI DSS Controls
For most companies, there are 12 main PCI controls to implement. These 12 requirements, spread across six groups, make up the core of the PCI DSS v.
- Examination and determination of the cardholder data flow through the network devices, databases, storage media, and applications.
- An in-depth analysis of network segmentation.
- Finalization of CDE and the scope of the client for PCI Compliance.
The PCI DSS 12 requirements are as follows: Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect stored cardholder data.
What is requirement 7 PCI? ›
PCI DSS Requirement 7: Restrict access to cardholder data based on business requirements. Important data should be accessible only by authorized personnel. For this, systems and processes must be to limit access according to their merits and business responsibilities.How to do a PCI risk assessment? ›
- Vulnerabilities/threat identification.
- Assessment of current security measures.
- Likelihood of threat occurrence.
- Potential impact of threat.
- Risk level.
- Scope analysis.
- Data collection.
- Periodic review/update as needed.
A: If you accept credit or debit cards as a form of payment, then PCI compliance applies to you.How do you pass a PCI audit? ›
Passing a PCI compliance scan attempt usually requires changing some of the default settings on your server to be more secure. Some of the most common things to do would be to close ports on the firewall and make sure you are using up-to-date software.What are the most common PCI violations? ›
- 1) Annual Audits & Assessment–
- 2) Cardholder Data Scan-
- 3) File-integrity or Change Detection software-
- 4) Not documenting significant changes.
- 5) Management of Cryptographic Keys.
- 6) “Fixation” for exclusion or out of scope –
PCI Level 1: Businesses processing over 6 million transactions per year. PCI Level 2: Businesses processing 1 million to 6 million transactions per year. PCI Level 3: Businesses processing 20,000 to 1 million transactions per year. PCI Level 4: Businesses processing less than 20,000 transactions per year.What are PCI violations? ›
Some of the worst breaches involve stolen payment information, resulting in PCI violations. These violate the Payment Card Industry Data Security Standard (PCI DSS), a standard for organizations that deal with credit card data. A violation doesn't only lead to monetary losses for the person whose data gets stolen.What are simple PCI procedures? ›
This is the basic PCI procedure. A catheter with a tiny, folded balloon on its tip is threaded through a blood vessel until it reaches the site where plaque buildup is causing a blockage. At that point, the balloon is inflated to compress the plaque against the walls of the artery.
Step 1: Identify How and Where the Organization Receives Cardholder Data. The first step to determining PCI scope is to identify how you are accepting cardholder data. The most obvious place for many merchants is your PoS systems at the registers and your e-commerce website.How many questions are on the PCI? ›
Although it seems complicated to answer each of the 160 questions asked in SAQ C, the fact that each item has its part that corresponds to the 12 requirements of the PCI DSS makes the process at least more comfortable.
What cardholder data can never be stored? ›
Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions). Never store the personal identification number (PIN) or PIN Block.Does PCI require encryption at rest? ›
The Payment Card Industry Data Security Standards (PCI DSS) requires organizations to encrypt credit card account numbers stored in their databases and ensure that data remains secure when transferred outside the company.What is PCI time requirement? ›
PCI DSS requirement 8.1. 8 requires the session to time out after 15 minutes when a user moves away from an open machine with access to critical system components or cardholder data.What data falls under PCI? ›
What type of data does PCI DSS protect? PCI DSS protects two categories of data: cardholder information and sensitive authentication data. Cardholder data refers to information such as primary account numbers, cardholder name, card expiration date, and service code.What are the elements of PCI? ›
|Cardholder Data Includes:||Sensitive Authentication Data Includes:|
|Primary Account Number (PAN)||Full magnetic stripe data or equivalent on a chip|
|Cardholder Name||CAV2 / CVC2 / CVV2 / CID|
|Expiration Date||PINs / PIN blocks|
PCI Data Security includes technical and operational standards connected to cardholder data. This covers everything from building and maintaining a secure network and protecting stored cardholder data, to monitoring and testing networks and maintaining an information security program.What is PCI diagram? ›
PCI Data Flow Diagrams
A data flow diagram should include all payment channels and processes through which CHD is processed. Managed service providers (MSPs) or other organizations that do not store, process, or transmit CHD are expected to detail flows regardless of the process or service being evaluated in PCI RoC.
Performing a PCI DSS compliafnce assessment, or validating compliance, is the process of evaluating an organization's security policies, procedures and network configurations against each applicable control in the standard.How many types of PCI are there? ›
There are 5 common types of PCIe slots and cards: x1, x2, x4, x8, and x16. The numbers represent the number of lanes on the card or slot. Just like the lanes on a road, these lanes are paths for data to travel on.What is requirement 3 protect stored cardholder data? ›
How Can I Protect Stored Payment Cardholder Data (PCI DSS Requirement 3)? At the heart of the PCI DSS is the need to protect any cardholder data that you store. The standard provides examples of suitable card holder data protection methods, such as encryption, tokenization, truncation, masking, and hashing.
What is PCI Level 3 requirement? ›
Your organization qualifies as a PCI Level 3 merchant if it meets any of the following criteria: Processes 20,000 to 1 million Visa e-commerce transactions per year. Processes 20,000 Mastercard e-commerce transactions per year, but less than or equal to 1 million total Mastercard transactions per year.What is PCI compliance requirement 9? ›
PCI DSS Requirement 9: Restrict physical access to cardholder data. Any physical access to systems holding cardholder data allows individuals to access devices or data and destroy systems or hard copies. Consequently, such access should be restricted to authorized personnel only.What is requirement 9 PCI? ›
The goal of the PCI DSS is to ensure that cardholder data that is stored, processed, or transmitted is protected. Requirement 9 addresses physical security controls to ensure that facilities are properly protecting CDE assets such as technology and people.What is PCI requirement 11? ›
PCI Requirement 11 focuses on a critical aspect of PCI compliance: testing. This testing should be of wireless access points, incident response procedures, vulnerability scans, penetration testing, intrusion-detection, change-detection, and policies and procedures.What are the four risk assessment procedures? ›
- Step 1) Hazard Identification. After determining an area to study, IDEM samples the affected environment, analyzes the samples, and identifies chemicals that may contribute to increased risk. ...
- Step 2) Exposure Assessment. ...
- Step 3) Dose-Response Assessment. ...
- Step 4) Risk Characterization.
The RISK-PCI is a simple score for the prediction of 30-day major adverse cardiovascular events (MACE) and mortality in patients treated with primary PCI (pPCI).What happens if you fail PCI compliance? ›
Non-compliance can lead to many different consequences such as monthly penalties, data breaches, legal action, damaged reputation, and even revenue loss. PCI Non-Compliance can result in penalties ranging from $5,000 to $100,000 per month by the Credit Card Companies (Visa, MasterCard, Discover, AMEX).What is PCI most important to protect? ›
The Payment Card Industry Data Security Standard (PCI DSS, or just PCI) is mandated by credit card companies to help protect cardholder data. The standard outlines guidelines on how to capture, process, and store sensitive customer data.Who verifies PCI compliance? ›
Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards.What is the penalty for violating PCI? ›
Penalties for PCI Compliance Violations
Fines vary from $5,000 to $100,000 per month until the merchants achieve compliance. That kind of fine is manageable for a big bank, but it could easily put a small business into bankruptcy.
What does PCI consider to be the most important to protect? ›
To sum up, PCI DSS standards apply to all types of companies that ask for credit card information. Its main goal is to protect the privacy and security of sensitive cardholder data by suggesting a guideline on how to secure online business.Who needs to comply with PCI standards? ›
Any organization that accepts, handles, stores, or transmits cardholder data must be PCI compliant. The size of the business and the number of transactions does not exempt a company from being compliant. Cardholder data includes debit, credit, and prepaid cards used by customers.What happens if I am not PCI compliant? ›
Non-compliance can lead to many different consequences such as monthly penalties, data breaches, legal action, damaged reputation, and even revenue loss. PCI Non-Compliance can result in penalties ranging from $5,000 to $100,000 per month by the Credit Card Companies (Visa, MasterCard, Discover, AMEX).What is the requirement 5 of PCI DSS? ›
PCI DSS Requirement 5: Use and regularly update anti-virus software. Anti-virus software needs to be installed on all systems commonly affected by malware. Make sure anti-virus or anti-malware programs are updated on a regular basis to detect known malware.What must you never do when processing cardholder data? ›
Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions). Never store the personal identification number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed.