Which of the following is NOT included in cardholder data?

Cardholder data specifically refers to information associated directly with a card used in transactions, particularly within the context of payment card security as defined by the Payment Card Industry Data Security Standard (PCI DSS). The primary account number (PAN), expiration date, and cardholder name are all elements that can be found on a payment card and are considered sensitive data that need protection under these standards.

The primary account number is the unique identifier for the cardholder's account, while the expiration date indicates until when the card is valid, and the cardholder name often appears for identification purposes.

In contrast, a social security number (SSN) is not related to payment card transactions and does not appear on payment cards. It is a separate identifier issued by the government primarily for taxation and social services, and while it is sensitive information, it is not classified as cardholder data within the parameters of PCI DSS. Therefore, including social security number as a response highlights an understanding of what constitutes cardholder data and what does not in the context of payment security.