What comprises Sensitive Authentication Data (SAD)?

Sensitive Authentication Data (SAD) specifically refers to data that is used to authenticate a cardholder and is considered sensitive due to its potential to facilitate fraud if compromised. Full magnetic stripe data (or equivalent) is classified as SAD because it contains the complete information encoded on a card's magnetic stripe, which includes track data that can enable transactions without needing additional authentication. This data can directly allow someone to impersonate the cardholder.

The other choices provided, while they may be related to cardholder information, do not fall under the definition of Sensitive Authentication Data. The cardholder name and expiration date, for example, are not classified as SAD; they may be sensitive and are protected under PCI DSS, but they do not have the same level of risk associated with their compromise as full magnetic stripe data does. The service code, while it provides essential information about card usage, is also not classified as SAD in the context of the security standards set by PCI DSS. Therefore, knowing what constitutes SAD is critical for anyone involved in card processing and security to ensure compliance and minimize risks.