← Glossary·Data

Cardholder Data (CHD)

PCI DSS

PAN — alone or together with cardholder name, expiration, service code — defined by PCI DSS.

Cardholder Data (CHD) is the Primary Account Number (PAN), alone or together with cardholder name, expiration date, and/or service code. Sensitive Authentication Data (SAD) — full track data, CAV2/CVC2/CVV2/CID, PINs/PIN blocks — must not be stored post-authorisation.

Why it matters
Discovering SAD in logs post-authorisation is the most catastrophic PCI finding — typically forensic-investigator (PFI) territory.

Related terms

CDE (Cardholder Data Environment)
The people, processes, and technology that store, process, or transmit cardholder data — and connected systems.
Tokenisation
Replacing sensitive data (typically PAN) with a non-sensitive surrogate value (token).
PCI DSS
Card-brand mandated standard for any entity that stores, processes, or transmits cardholder data.

Does your program actually cover Cardholder Data (CHD)?

Run a free ComplianceIQ audit against PCI DSS and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free PCI DSS auditBack to glossary