All termsSecurityAdvancedUpdated April 23, 2026

What Is Sensitive Authentication Data?

Sensitive Authentication Data (SAD) is security-critical card information — including full magnetic stripe data, card verification codes, and PINs — that PCI DSS strictly prohibits storing after transaction authorization, even in encrypted form.

Also known as: SAD, authentication security data, cardholder verification data, card security credentials

Key Takeaways

  • SAD includes full magnetic stripe data, CVV2/CVC2/CID codes, and PIN blocks — none of which may be stored after authorization under PCI DSS.
  • Unlike cardholder data, SAD cannot be made storable through encryption or tokenization — the prohibition is absolute.
  • Even brief, 'temporary' storage of SAD in logs, caches, or databases constitutes a PCI DSS violation and can result in fines exceeding $100,000 per month.
  • Developers must audit every system layer — including logs, CDNs, and analytics tools — to confirm SAD never persists beyond the authorization moment.
  • Payment orchestration platforms that are PCI DSS Level 1 certified route SAD handling away from merchant infrastructure, dramatically shrinking compliance scope.

How Sensitive Authentication Data Works

Sensitive Authentication Data exists at the intersection of card authentication and fraud prevention. Its purpose during a transaction is to verify that the person presenting the card possesses the physical card or knows a secret tied to it. Once authorization is granted or denied, this data has served its function and must not survive in any system.

The lifecycle of SAD is strictly bounded by the authorization moment. Before that point, SAD travels through encrypted channels between the card terminal, the payment gateway, and the card network. After authorization, every system that touched SAD must purge it immediately. PCI DSS Requirement 3.3 leaves no room for interpretation: storage is prohibited, full stop.

01

Card Presented or Entered

The cardholder presents a physical card (magnetic stripe or chip) or enters card details online. The terminal or payment form captures full track data, the CVV2/CVC2 code, and potentially a PIN. This is the only moment SAD legitimately exists in a readable state within the transaction flow.

02

Encrypted Transmission to Gateway

SAD is encrypted immediately at the point of capture using TLS and, for card-present environments, point-to-point encryption (P2PE). It is transmitted to the payment gateway and onward to the card network's authorization endpoint without ever touching merchant application servers in plaintext.

03

Authorization Decision

The card network and issuing bank use SAD to authenticate the transaction. Track data confirms the card is genuine; the CVV2 confirms card possession in card-not-present contexts; the PIN verifies the cardholder. The issuer returns an approval or decline code.

04

Mandatory Purge

Immediately upon receiving the authorization response, every system that processed SAD — gateway, terminal, fraud engine, logging pipeline — must securely delete it. PCI DSS prohibits any subsequent storage, including in encrypted databases, backup tapes, or application logs.

05

Token or PAN Continues

Post-authorization, the merchant retains only a network transaction ID, a tokenization reference, or a truncated Primary Account Number. These identifiers enable refunds, chargebacks, and reconciliation without reintroducing SAD into the data environment.

Why Sensitive Authentication Data Matters

The PCI DSS prohibition on SAD storage exists because this data class enables the most damaging category of payment fraud. Full magnetic stripe data allows attackers to clone physical cards; verification codes enable card-not-present fraud at scale; PIN data compromises debit card accounts entirely. A single database exposure can yield losses orders of magnitude larger than breaches involving only cardholder data.

The financial stakes are concrete. According to IBM's Cost of a Data Breach Report, the average cost of a payment data breach reached $4.88 million in 2024, with regulated industries like financial services averaging significantly higher. Card scheme fines for verified SAD storage violations can reach $100,000 per month, applied to the acquiring bank and contractually passed to the non-compliant merchant. The Verizon Data Breach Investigations Report consistently identifies payment card data as the primary target in financially motivated breaches, appearing in over 36% of confirmed financial sector incidents. These figures explain why PCI compliance frameworks treat SAD with a categorical prohibition rather than a risk-based control framework.

PCI DSS Requirement 3.3

PCI DSS v4.0 Requirement 3.3 states that SAD must not be retained after authorization. This applies to all entities in the payment chain — acquirers, processors, issuers, and service providers — and explicitly includes data stored in encrypted form. There are no permitted exceptions for operational convenience.

Sensitive Authentication Data vs. Cardholder Data

Merchants often conflate SAD with Cardholder Data (CHD), but PCI DSS treats them under entirely different rules. Understanding this distinction determines which data elements can be stored (with controls) versus which must be purged unconditionally.

AttributeSensitive Authentication DataCardholder Data
ExamplesFull magnetic stripe, CVV2/CVC2/CID, PIN blocksPAN, cardholder name, expiry date
Storage after authorizationStrictly prohibited — no exceptionsPermitted with strong protections
PCI DSS requirementRequirement 3.3 — never storeRequirement 3.4 — protect if stored
Encryption makes storage acceptable?NoYes
Tokenization makes storage acceptable?NoYes
Primary fraud riskCard cloning, PIN compromise, CNP fraudAccount takeover, identity theft
Compliance path if storedNone — violation regardless of controlsEncryption, access controls, key management

This asymmetry matters operationally. A merchant who encrypts their CVV database believes they have reduced risk. Under PCI DSS, they have committed an equally serious violation as one who stored CVVs in plaintext — because the rule is an absolute prohibition, not a data protection standard.

Types of Sensitive Authentication Data

PCI DSS identifies three distinct categories of SAD, each with a different attack vector if exposed.

Full Track Data (Magnetic Stripe and Chip Equivalent) Track 1 and Track 2 data contain the cardholder's account number, name, expiry date, and service codes in a format that enables physical card cloning. Track 2 data — the minimal set required for authorization — is sufficient to produce a counterfeit magnetic stripe card. Chip-equivalent data derived from EMV transactions carries the same prohibition.

Card Verification Codes These 3-4 digit codes — called CAV2 (Visa), CVC2 (Mastercard), CVV2 (generic), or CID (Amex/Discover) — are not encoded in the magnetic stripe. They are generated from card data using a secret issuer key and printed on the card. In card-not-present transactions, possession of this code signals physical card access. Storing it allows attackers to bypass CNP fraud controls indefinitely.

PIN and PIN Blocks PINs authenticate cardholders in card-present debit and credit transactions. PIN blocks are encrypted representations of PINs formatted for transmission. Even encrypted PIN blocks are classified as SAD and cannot be stored. Compromise of PIN data enables direct ATM withdrawals and in-store debit fraud without requiring physical card possession.

Best Practices

The practical challenge of SAD compliance is that this data appears in unexpected places: error logs that capture full form payloads, CDN access logs that record query strings, analytics tools that log raw API requests. Best practices address both intentional handling and accidental exposure.

For Merchants

Use hosted payment fields. Redirect SAD capture to a PCI-certified hosted payment page or embedded iframe that never transmits card data through your servers. This approach removes your infrastructure from the SAD data flow entirely, dramatically reducing compliance scope.

Conduct regular log audits. Implement automated scanning of application logs, server logs, and third-party analytics outputs for patterns matching PANs or 3-4 digit sequences that could indicate CVV leakage. Schedule these scans quarterly at minimum.

Require contractual SAD prohibitions from vendors. Any third-party tool that touches your checkout flow — A/B testing platforms, session replay tools, tag managers — must contractually confirm they do not store SAD. Session replay tools are a frequent inadvertent capture vector.

Verify SAD purge in your payment provider's documentation. Your processor's Service Provider Summary confirms their scope. Confirm that SAD purge is explicitly documented, not assumed.

For Developers

Never log raw request bodies on payment endpoints. Disable verbose request logging on any endpoint that receives card data. If debugging requires payload logging, implement field-level masking that replaces CVV, track data, and PIN fields before log write.

Use three-domain secure where available. 3DS shifts authentication responsibility to the issuer's infrastructure, reducing the SAD surface area that passes through merchant-adjacent systems during online transactions.

Audit every integration that touches checkout. Map data flows for every SDK, webhook, and API that operates near the payment form. Confirm that none transmits raw form data to external endpoints before your payment processor tokenizes it.

Test your purge logic under failure conditions. Verify that SAD is deleted even when authorization requests time out or return network errors. Incomplete transactions are a common vector for inadvertent SAD persistence.

Common Mistakes

Even experienced engineering and compliance teams make predictable errors when handling SAD.

Storing CVV "temporarily" during retry logic. Payment retry flows sometimes cache card data to reattempt failed charges. Any storage of CVV or track data between attempts — even for seconds — violates PCI DSS. Retry logic must rely on a network token or gateway reference, never on re-stored SAD.

Assuming encryption resolves the prohibition. The most common misconception in PCI compliance is that encrypting SAD creates a defensible storage posture. PCI DSS is explicit: encryption does not make SAD storage permissible. Teams that implement column-level encryption on CVV fields in their database have not reduced their violation — they have added operational complexity to a non-compliant configuration.

Failing to audit third-party scripts at checkout. Marketing pixels, A/B testing frameworks, and customer data platforms frequently operate on checkout pages. If these scripts execute before your tokenization library, they may transmit raw form data — including CVV — to external servers. A PCI QSA audit that discovers this creates immediate scope expansion and potential violation findings.

Including SAD in error reporting payloads. Exception tracking tools like Sentry or Datadog can capture local variable state when errors occur. If an unhandled exception fires mid-checkout while card data is in scope, the full payload — including SAD — may be transmitted to a third-party logging service. Configure these tools to scrub card-pattern data before transmission.

Overlooking backup and DR copies. Database backups and disaster recovery snapshots that were created during a period of non-compliant SAD storage remain violations even after the production database is remediated. Backup purge policies must include explicit handling for any snapshot that may contain SAD.

Sensitive Authentication Data and Tagada

Payment orchestration platforms like Tagada are specifically architected to keep SAD outside of merchant-controlled infrastructure. When a merchant routes transactions through Tagada, card data capture occurs via PCI DSS Level 1-certified hosted fields — meaning full track data, CVV codes, and PIN blocks are tokenized before they reach any merchant system or Tagada's orchestration layer.

Reducing SAD Scope with Orchestration

Tagada's hosted payment components capture and immediately tokenize SAD at the point of entry, replacing it with a network token before routing the authorization request to the selected processor. Merchants receive only the token and the authorization response — never the underlying SAD. This architecture means your systems are never in scope for SAD-related PCI DSS requirements, regardless of which acquirer or processor Tagada routes through.

For merchants operating across multiple processors or markets, orchestration also eliminates the risk of SAD leakage during processor failover and retry scenarios. When Tagada reroutes a failed authorization to a secondary processor, it does so using the original network token — never by re-transmitting raw SAD. This is architecturally important: multi-processor environments without orchestration often introduce SAD persistence risks precisely at the retry and failover layer.

Frequently Asked Questions

What qualifies as Sensitive Authentication Data under PCI DSS?

PCI DSS defines SAD as three categories: full track data from a card's magnetic stripe or chip (Track 1 and Track 2), card verification codes printed on or embedded in the card (CAV2, CVC2, CVV2, CID), and PIN or encrypted PIN blocks. All three are explicitly prohibited from storage after the authorization process is complete, regardless of whether they are encrypted.

Why can't SAD be stored even in encrypted form?

The PCI DSS prohibition on SAD storage is absolute — it applies even when data is encrypted, hashed, or tokenized. The rationale is that SAD, if recovered by an attacker, enables card cloning and card-not-present fraud at a level that cardholder data alone does not. Encryption reduces breach impact for other data categories, but the card schemes determined that no business justification exists for retaining SAD post-authorization.

How is Sensitive Authentication Data different from Cardholder Data?

Cardholder Data (CHD) includes the Primary Account Number, cardholder name, and expiry date. CHD may be stored if merchants implement strong protections such as encryption and strict access controls. SAD, by contrast, includes the magnetic stripe contents, verification codes, and PINs — data that must be purged immediately after authorization and can never be stored under any conditions defined in PCI DSS Requirement 3.3.

What are the penalties for storing Sensitive Authentication Data?

Card scheme fines for PCI DSS violations related to SAD storage range from $5,000 to $100,000 per month, imposed on the acquiring bank and typically passed down to the merchant. Following a confirmed breach involving SAD, merchants can face forensic investigation costs, mandatory re-audits, card replacement costs billed by issuers, and potential removal from card acceptance programs. Regulatory fines under GDPR or state privacy laws may compound these penalties.

How can developers verify that SAD is not being stored inadvertently?

Developers should conduct a full data-flow audit covering application logs, error tracking systems, CDN request logs, analytics pipelines, database audit trails, and any third-party integrations that receive raw form submissions. Automated scanning tools can search log archives for patterns matching 16-digit PANs or 3-4 digit CVV sequences. Using a validated payment SDK or hosted fields solution is the most reliable way to prevent SAD from ever reaching merchant-controlled infrastructure.

Does tokenization eliminate the risk of storing SAD?

Tokenization effectively removes Primary Account Numbers from merchant systems by replacing them with non-sensitive tokens. However, tokenization does not create a compliant path for storing SAD. Verification codes and PIN data must still be purged immediately after authorization regardless of whether tokenization is in use. Tokenization reduces PCI scope for cardholder data but does not modify the SAD storage prohibition.

Tagada Platform

Sensitive Authentication Data — built into Tagada

See how Tagada handles sensitive authentication data as part of its unified commerce infrastructure. One platform for payments, checkout, and growth.