PCI DSS Blog Series – Requirement 3

The Payment Card Industry Data Security Standard (PCI DSS) consists of nearly 400 individual controls, is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. We find that companies considering PCI are often caught off guard by how comprehensive the PCI DSS is. So, we thought we would help!

CompliancePoint’s PCI blog series will analyze each of the 12 Requirement families. We will outline common challenges our customers face with each requirement, answer some frequently asked questions, and finally, we will provide some pro tips.

This week we will address Requirement 3: Protect stored cardholder data.

Requirement 3: Protect stored cardholder data.

What does this requirement require at a high level? 

PCI DSS Requirement Three focuses on the policies, processes, technologies (such as encryption), and controls that protect cardholder data within your environment.

Why is compliance with this requirement important (beyond getting certified)? 

According to Statistica, there have been over one thousand data breaches in 2020 in the US, resulting in the exposure of sensitive information from at least 155 million individuals. Thus, it is extremely important that you protect consumers’ transactional data. This will not only protect consumers, but it will protect your company from a legal, financial, and reputational standpoint if a breach ever occurs.

Per PCI, there are certain elements of cardholder data that may be stored. However, sensitive Authentication Data (SAD) must NEVER be stored after authorization, even if it is encrypted.

The DSS aims to ensure that controls are implemented properly for ensuring that cardholder data is protected when stored through common methods such as encryption and masking.

Common Challenges & Tips for Success:

  1. Cardholder data should only be retained according to business processes, legal, and/or regulatory requirements. 
    • A quarterly process is to be implemented to ensure the removal of any cardholder data that meets the retention period. Your policies should specifically define how long the cardholder data should be stored and business justifications as to why it is stored. 
    • Cardholder data stored on paper media should be physically destroyed, while cardholder data stored on electronic media may be destroyed through methods such as degaussing, secure wiping, and physical destruction. 
  2. Masking of the Primary Account Number (PAN).
    • PAN should be masked whenever it is displayed to the minimum number of digits necessary to perform business functions. For example, the first six digits of the PAN, the last four digits of the PAN, or the first six digits and last four digits of the PAN. PAN stored within a database should only display the last four digits of the stored PAN.
    • The viewing of full PAN should be limited to those with a legitimate need to view the PAN, such as those that are investigating a transaction dispute.
  3. Methods to protect stored PAN:
    • PAN must never be stored in plain text.
    • Common Methods accepted by PCI for protecting stored PAN by rendering it unreadable:
      1. One-way hashes based on strong cryptography
      2. Truncation
      3. Index tokens and pads, with the pads being securely stored
      4. Strong cryptography, with associated key-management processes and procedures.
    • The most popular method for protecting stored PAN is strong cryptography, utilizing Data Encryption Keys (DEKs) and Key Encryption Keys (KEK).
    • Disk Encryption
      • Disk encryption may be used to encrypt the entire disk or partition in which PAN is stored if file- or column-level database encryption is not used. It may also be used in addition to file- or column-level database encryption.
      • IF disk encryption is used, proper access controls must be implemented to ensure that the user account credentials and decryption key are different from that of the operating system and system’s local user account, respectively.
  4. Vital Documentation
    • Key Management Policies and Procedures
      • Policies and procedures should address protections surrounding the Data Encryption Key (DEK) and the Key Encrypting Key (KEK) (such as limited access to the keys, algorithms, protocols, key strength), generation, distribution, storage, replacement, and the expiration of the keys.
  5. Per PCI, “If you don’t need it, don’t store it!”
    • If you do not have a business need for storing cardholder data, then protect yourself and do not store it. 

Common Questions:

  1. What types of entities can store sensitive authentication data (SAD)?
    • Issuers and/or companies that support issuing services typically store cardholder data and must have a legitimate business justification for doing so. Note that all of the PCI DSS requirements still apply to these entities.
  2. My cardholder data environment (CDE) is hosted within the cloud. Therefore, I am not responsible for requirement area 3 controls, correct?
    • Although your environment may be hosted within the cloud, you are still responsible for protecting the cardholder data within your environment. The cloud provider is only responsible for their underlying platform.
  3. I currently only store tokenized PAN. Does Requirement Three for the storage of PAN still apply to me?
    • If you are receiving tokenized PAN from your payment processor after authorization and you do not have the ability to reverse the token to view the full PAN, then the controls regarding the storage of PAN do not apply. If, however, you are not receiving the tokenized PAN from a processor and you are tokenizing the PAN internally, and you have the ability to reverse the tokenized PAN, then you are considered as storing the PAN, and you must meet the intent of the respective controls.
Download our guide to Getting Started with the PCI DSS

Conclusion

The goal of the PCI DSS is to ensure that cardholder data that is stored, processed, or transmitted is protected. Requirement Area Three in particular focuses on the storage of cardholder data and how it is protected through methods such as encryption, masking, and destruction.

Check Out Other Posts in this Series

CompliancePoint is a Qualified Security Assessor Company (QSAC). Our consultants have decades of experience as practitioners and auditors. Please reach out to us at connect@compliancepoint.com if you have any questions about this requirement or how CompliancePoint can assist your organization with preparing for your PCI DSS Certification. 

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.