PAN stands for Primary Account Number, and it is the most critical piece of cardholder data when it comes to PCI compliance. Since the PAN can be used in conjunction with other pieces of cardholder data, there are extra steps and regulatory compliance that must be met in order to ensure user data is properly secured.

The PCI DSS says, “The primary account number (PAN) is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements.”

The Payment Card Industry Data Security Standard (PCI-DSS), which consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. In fact, if you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are required to comply with the PCI DSS.

A third-party payment processor is a depository customer of a bank that uses their banking relationship to process payments on behalf of other companies through its bank. They are typically referred to as processors that process ACH and/or remotely created checks (RCC), although it is typically much broader than that because banks do not have a contractual relationship with the TPPP’s merchant clients, so you can have credit cards, checks that are not remotely created, and return products that fall under this umbrella term. It is also important to note that TPPP is also synonymous with TSP, or third-party senders, by NACHA if they are processing ACH payments and must adhere to the third-party vendor requirements under the rules.

There are 4 levels of PCI compliance, based on number of transactions processed within a year. The levels are as follows:

  • PCI Merchant Level 1: Merchants with over 6 million transactions a year, across all channels, or any merchant that has had a data breach
  • PCI Merchant Level 2: Merchants with between 1 million and 6 million transactions annually, across all channels
  • PCI Merchant Level 3: Merchants with between 20,000 and 1 million online transactions annually
  • PCI Merchant Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year

PCI DSS defines cardholder data as: “At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.” In short, as the name implies, cardholder data is any data stored related to a user’s card number or payment information.