The data distinctions that change technical design
The primary account number is the defining element of cardholder data. When a full PAN appears with a name, expiration date, or service code, those related elements are also cardholder data. Display masking, storage rendering, truncation, hashing, encryption, and tokenization solve different problems; teams should not use the terms interchangeably or assume a masked screen proves the underlying database is protected.
Sensitive authentication data includes full track data, card verification values, PINs, and PIN blocks. It is used to authenticate cardholders or authorize transactions and cannot be stored after authorization, even in encrypted form. Search procedures should include application logs, debug traces, call recordings, support bundles, message queues, database replicas, crash dumps, and backups because prohibited values often appear through troubleshooting or integration mistakes.
Tokenization can reduce exposure when the merchant receives a substitute value and cannot use that token to recover PAN outside tightly controlled provider functions. The review still needs to document where tokenization occurs, which systems see PAN before substitution, who has detokenization authority, what exports contain, and whether logs or backups captured the original value. A tokenized application can remain security impacting even when it no longer stores PAN.
Data discovery is not a one-time keyword search. Combine payment-flow interviews, application and database knowledge, file and log inspection, endpoint and collaboration searches, provider documentation, backup restoration, and review of manual practices. Record false positives and search limitations so the conclusion can be repeated after a system change or during an assessment.