Back to Dashboard
Req 3: Protect Stored Account Data
Encrypt or otherwise protect stored cardholder data.
Responsibility
Merchant
Compliance Status
In Progress
70%Overview
If you store cardholder data, it must be protected. This requirement outlines methods for rendering stored data unreadable, such as encryption, truncation, tokenization, or hashing.
Key Actions for Compliance
A non-exhaustive list of actions your organization should take to meet this requirement.
- Develop a data retention and disposal policy. Purge stored data at least quarterly.
- Do not store sensitive authentication data (SAD) after authorization.
- Mask primary account numbers (PAN) when displayed, showing only the first six and last four digits at most.
- Use strong cryptography to render all PAN unreadable wherever it is stored.
Testing Procedures (Simplified)
How auditors may verify that this requirement is met.
- Examine policies and procedures for data retention and disposal.
- Verify that no sensitive authentication data is stored after authorization by inspecting databases and files.
- Check system configurations to ensure that PAN is unreadable wherever it is stored.
- Examine displays of PAN to confirm that it is masked.