is Last 4-digits of credit card and Expiry Date storage allowed in PCI-DSS?

Kiran Beladiya picture Kiran Beladiya · Jun 19, 2017 · Viewed 13.1k times · Source

We need to store last 4 digits of credit card, (in order to let customers know which card they have used?) and expiry date (to notify customers that their card is about to expire) for our subscription/recurring payment based SaaS application.

are those two data storage allowed in PCI DSS? Please answer with reference/link to official website or document.

Please note: We are not storing Name On Card and CVV numbers

Answer

Matthew Allen picture Matthew Allen · Jun 19, 2017

You should be ok w regard to PCI regulations.

This table lays out what data can be stored: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

"If required for business purposes, the cardholder’s name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements."

-edit- According to the bottom table in that doc, it says you should be able to store those elements. Since you are not storing full PAN, Regulation 3.4 shouldn't apply to the other elements.

If it helps, we got Level 1 certified and we store last 4 and expiration date in clear text. You don't need audited unless you are Level 1 (assuming Merchant here, not Service Provider).