PCI Requirement 3.4.1 – Use of Disk Encryption

by Randy Bartels / May 31, 2023

If your organization is going to use disk encryption as a means to render data unreadable, you need to comply with PCI Requirement 3.4.1. PCI Requirement 3.4.1 states, “If disk encryption is used (rather than file or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login…

PCI Requirement 3.4 – Render PAN Unreadable Anywhere it is Stored

by Randy Bartels / December 22, 2022

What is PCI Requirement 3.4? PCI Requirement 3.4 requires, “Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: one-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), strong cryptography with…

PCI Requirement 3.3 – Mask PAN when Displayed

by Randy Bartels / December 22, 2022

What is PCI Requirement 3.3? PCI Requirement 3.3 states, “Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.” What is PAN? The PCI DSS says, “The primary account number (PAN) is the defining factor for cardholder data. If…

PCI Requirement 3.2.1, 3.2.2 & 3.2.3 – Do Not Store the Track, Service Code, or PIN after Authorization

by Randy Bartels / December 22, 2022

PCI Requirement 3.2 requires that organizations do not store sensitive authentication data after authorization, even if encrypted. Sensitive authentication data includes full track data (magnetic-stripe data or equivalent on a chip), CAV2/CVC2/CVV2/CID, and PINs/PIN blocks. Along with PCI Requirement 3.2 comes three sub-requirements. PCI Requirement 3.2.1 states, “Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained…

PCI Requirement 3.2 – Do Not Store Sensitive Authentication Data after Authorization

by Randy Bartels / December 22, 2022

PCI Requirement 3.2 states, “Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. It is permissible for issuers and companies that support issuing services to store sensitive authentication data if there is a business justification and the data is stored securely.” Organizations in compliance with the PCI DSS should never store sensitive…