3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization

3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.

Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained:

  • The cardholder’s name
  • Primary account number (PAN)
  • Expiration date
  • Service code

To minimize risk, store only these data elements as needed for business.

3.2.1 For a sample of system components, examine data sources including but not limited to the following, and verify that the full contents of any track from the magnetic stripe on the back of card or equivalent data on a chip are not stored after authorization:
• Incoming transaction data
• All logs (for example, transaction, history, debugging, error)
• History files
• Trace files
• Several database schemas
• Database contents.

If full track data is stored, malicious individuals who obtain that data can use it to reproduce payment cards and complete fraudulent transactions.