Data Protection [Req 3-4]
Rule: Protect stored account data through encryption, masking, and retention limits. Protect cardholder data with strong cryptography during transmission.
Requirement 3: Protect Stored Data
What Is Account Data?
| Data Type | Includes | Storage Permitted? |
|---|
| Cardholder Data (CHD) | PAN, cardholder name, expiration, service code | Yes, if protected |
| Sensitive Authentication Data (SAD) | Full track, CVV/CVC, PIN/PIN block | Never after authorization |
3.2 — Minimize Storage
| Control | Requirement |
|---|
| Data retention policy | Define storage amount and time |
| Quarterly purge | Remove data exceeding retention |
| Business justification | Document why storage needed |
3.3 — SAD Prohibited After Authorization
NEVER store after authorization:
- Full track data (magnetic stripe)
- Card verification codes (CVV2/CVC2/CAV2)
- PINs and PIN blocks
Even if encrypted — deletion required.
3.4 — PAN Masking
When displaying PAN:
- Maximum visible: First 6 and last 4 digits
- Only show more if business need exists
- Document business justification
3.5 — Protect Stored PAN
| Method | Requirement |
|---|
| Strong cryptography | One-way hashes, truncation, index tokens, strong encryption |
| Disk encryption | Not sufficient alone for removable media |
| Key management | Separate from data, secure storage |
Encryption Requirements
| Aspect | Requirement |
|---|
| Algorithm | Strong, industry-tested (AES-256, etc.) |
| Key strength | Minimum 128-bit for symmetric |
| Key storage | Encrypted or split knowledge |
| Key rotation | At end of cryptoperiod |
Requirement 4: Protect Data in Transit
4.2 — Encryption in Transit
| Control | Requirement |
|---|
| Strong cryptography | When transmitting PAN over open networks |
| TLS 1.2+ | Minimum protocol version |
| Certificate validation | Verify server certificates |
| No fallback | Do not allow insecure fallback |
Open/Public Networks Include:
- Internet
- Wireless networks
- Cellular/mobile networks
- Satellite communications
- Public cloud
Acceptable Protocols
| Protocol | Status |
|---|
| TLS 1.3 | Recommended |
| TLS 1.2 | Acceptable with secure configuration |
| TLS 1.1/1.0 | Not acceptable |
| SSL | Not acceptable |
Key Management [Req 3.6-3.7]
| Requirement | Detail |
|---|
| Key generation | Strong random generation |
| Key distribution | Secure methods |
| Key storage | Encrypted or split knowledge |
| Key rotation | Defined cryptoperiod |
| Key retirement | Secure destruction |
| Split knowledge | No single person has full key |
Citation
PCI DSS v4.0.1 Requirements 3-4