Learn how to fulfill PCI Requirement 3. 

Jen Stone, QSA, CISSP
By: Jen Stone
Security Analyst
QSA, CISSP
Are you compliant with PCI DSS Requirement 3? This requirement involves protecting card data storage.
Here are some things to remember when it comes to complying with PCI Requirement 3.

Encrypt stored card data

PCI Requirement 3When cybercriminals hack a payment system, they can’t steal cardholder data that isn’t there. That’s why it’s important to keep your system clean of insecurely stored card data. The problem is that unencrypted payment card data has a way of creeping in where you least expect it.

Stored card data must be encrypted using industry-accepted algorithms (e.g., AES-256). Unfortunately, many merchants don’t know they are storing unencrypted Primary Account Numbers (PANs). In the latest study by SecurityMetrics, 67% of merchants were found to store unencrypted PANs.

Some places that may be hiding card data unintentionally include:
  • Error logs: often contain full card data when an error in card authentication occurs
  • Sales departments: may have emailed or printed forms containing card data
  • Customer service representatives: may take card numbers over the phone, have handwritten card data
  • Administrative assistants: may have a spreadsheet containing an executive’s card number for quick access 
SEE ALSO: Do You Know Where You Store Card Data?

Protect encryption keys

Not only must card data be protected, but also the encryption keys must be protected. Leaving encryption keys unprotected is like storing your house key by leaving it in your front door lock, so it’s critical to use a solid PCI DSS encryption key management process.

Find stored card data 

Payment card data can easily leak due to poor processes or misconfigured software. You must look where you think the data is, and then look where it shouldn’t be.

PCI DSS 3.2 Requirement 1.1.3 requires a current diagram for all card data flows in your organization. A card data flow diagram is a graphical representation of how card data moves through an organization. As you define your environment, ask all organizations and departments if they receive cardholder information, and determine how their answers may change your current understanding of your organization’s card data flows.

Here are a few questions you should ask when making a card data flow diagram:
requirement 3
  • What device(s) am I using for transactions? A virtual terminal? POS system? 

  • What happens to the card data after a transaction? 

  • Is data encrypted? If so, when is it encrypted? Is encryption managed internally or by a third party? 
  • Do I store card data after it’s sent to the processor for approval? Do my logs inadvertently store card data held in memory? Do manual processes allow card data storage in notes fields or other unprotected locations?

  • When does authorization occur? Real-time or end-of-day? 

  • When a transaction is authorized, what cardholder data is returned by the processor? Is it encrypted? Tokenized?

  • Is card data backed up on my system? Are backups encrypted? Is my backup server at a different location? Does that location meet PCI DSS requirements? 

  • Where might card data be transmitted or stored in processes not part of authorization? 

In addition to looking at data flows and processes, you should regularly run a cardholder data discovery tool (such as PANscan® or PIIscan) on your systems. These tools help identify the location of unencrypted PAN. Knowing where PAN data is stored helps confirm if your CDE is secure. It also helps identify which processes or data flows might need to be adjusted.

Assign the responsibility of keeping unencrypted card data off your systems to an individual or team. Have them define and follow a process of periodic data discovery cycles to recheck and ensure systems remain clean of unencrypted card information.

SEE ALSO: How Much Credit Card Data do You Store? (It’s More Than You Think.)

Additional tips

Here are a few more things to think about while fulfilling Requirement 3:
  • Reduce your PCI scope: The less you have to secure, the better. Streamline your card data flows and make sure you’re only storing what’s necessary
  • Segment networks: While not required by the PCI DSS, network segmentation keeps your cardholder data environment separate from the rest of your network, reducing risk
  • Place an individual in charge of PCI compliance: Becoming compliant can take time and effort. Establishing responsibility for PCI compliance can reduce confusion and increase accountability
Note: Making a single person responsible for PCI compliance is a new requirement (12.4.1) for service providers that will be in place next year. This requirement is a best practice until January 31, 2018, after which it becomes a requirement. 


Need help with PCI compliance? Talk to us! 

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT. 


SecurityMetrics Guide to PCI DSS Compliance