Question: Is pre-authorisation data in scope of PCI DSS?
There’s quite a bit of misleading information on the internet about the status of pre-authorisation data. As far as all the card schemes are concerned there’s no difference between pre-authorisation data and post-authorisation data. If you store, process or transmit pre-authorised cardholder data then the PCI DSS requirements apply.
However, if your card brand agrees, you are permitted to store sensitive authentication data (SAD) which includes track-data, encrypted PIN blocks and CVV2 values before authorisation as long as it is deleted immediately after authorisation.
The best argument I once heard about this subject was from a QSA who said that a card number that had not been authorised “was just a random 16 digit number” and it was only the process of authorisation that made it cardholder data. He argued that the fact that it passed a Luhn check and was entered into a web form field labelled “card number” was immaterial. Nonsense: if it walks like a PAN, and quacks like a PAN, then it’s a PAN.
There’s also a PCI SSC FAQ about this.