PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1038 Published

Does PCI DSS apply to ?hot cards,? expired, cancelled or invalid card account numbers?

PCI DSS applies to any primary account number (PAN), including active, expired, or cancelled PAN, except where the organization can provide documentation which confirms that the PAN is inactive or otherwise disabled and no longer poses a fraud risk to the payment system. If, however, the PAN is later reactivated, PCI DSS will again apply.

When payment cards expire, the same account number is often reused on the new card with a different expiry date. The PAN must therefore be verified as not being valid before expired cards are excluded from PCI DSS scope.

Entities should retain PAN based on business/legal needs, as defined in data retention policy (PCI DSS Requirement 3.1). Remember: If you don?t need it, don?t store it.

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.