WithoutFire | John Elliott's occasional thoughts on data protection

pre-authorisation data (pci dss q&a)

Question: Is pre-authorisation data in scope of PCI DSS?

Answer: Yes.

There’s quite a bit of misleading information on the internet about the status of pre-authorisation data. As far as all the card schemes are concerned there’s no difference between pre-authorisation data and post-authorisation data. If you store, process or transmit pre-authorised cardholder data then the PCI DSS requirements apply.

However, if your card brand agrees, you are permitted to store sensitive authentication data (SAD) which includes track-data, encrypted PIN blocks and CVV2 values before authorisation as long as it is deleted immediately after authorisation.

The best argument I once heard about this subject was from a QSA who said that a card number that had not been authorised “was just a random 16 digit number” and it was only the process of authorisation that made it cardholder data. He argued that the fact that it passed a Luhn check and was entered into a web form field labelled “card number” was immaterial. Nonsense: if it walks like a PAN, and quacks like a PAN, then it’s a PAN.

There’s also a PCI SSC FAQ about this.

Author image
About John