What Is Sensitive Authentication Data in PCI Compliance?

David Gamey David Gamey : Dec 20, 2020 10:07:00 PM

What Is Sensitive Authentication Data in PCI Compliance?

Sensitive authentication data, aka SAD, in PCI compliance is data used by the issuers of cards to authorize transactions.

Similar to cardholder data, PCI DSS requires protection of SAD. Additionally SAD can’t be retained (stored) by merchants and their payment processors. SAD includes the following:

  • “track” data from magnetic stripes
  • “track equivalent data” generated by chip and contactless cards
  • security validation codes (i.e. the 3-4 digit  number printed on cards) used for online and card not present transactions.
  • PINs

For more see the official PCI glossary.
How to protect against username enumeration on log in, registration, and password reset forms

How to protect against username enumeration on log in, registration, and password reset forms

Vishal Tomar : Jul 6, 2022 12:00:00 AM

Username enumeration (sometimes called account enumeration) is when it is possible for a hacker to...

Read More
Non-Compliance Lesson No. 4: Keep your head in the cloud when adopting new technologies

Non-Compliance Lesson No. 4: Keep your head in the cloud when adopting new technologies

David Gamey David Gamey : Jun 8, 2022 12:00:00 AM

PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is...

Read More
NIST Moves on Sweet32 - 3DES, Blowfish, and Others - Mostly Unsafe | blog,pci,cryptography | Control Gap

NIST Moves on Sweet32 - 3DES, Blowfish, and Others - Mostly Unsafe | blog,pci,cryptography | Control Gap

David Gamey David Gamey : Jul 19, 2017 12:00:00 AM

Now is the time to stop using 64-bit block length ciphers such as 3DES (TDEA) and Blowfish in...

Read More