BLOG HOME > Auditor Tips > Auditor Tips: Requirement 3: Protect Cardholder Data

Auditor Tips: Requirement 3: Protect Cardholder Data

*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide. 

Don’t keep any data you don’t need. If you only need the last four numbers of PAN, get rid of the rest! For each element of cardholder data, ask yourself if you really need it or if it is just nice to have. I have found that some companies have a lot of data they really don’t need and never ask if the business needs it. The more data you keep, the higher the risk.

IT should work closely with all business groups to decide what data the company needs, where to store it, and for how long. Data retention policies are key to ensuring that your data has the appropriate controls. Periodic assessments of data retention and data mappings should be performed. Data requirements might change over time, so check often.

It is important to know what data you actually store, process, and/or transmit. If you don’t know what you have, it is difficult to implement the correct controls around it. Data flow mapping helps you understand the data coming into and out of your organization. Create data flow diagrams for your entire organization (on all information you deem sensitive), not just for your CDE environments. You might miss something if you only focus on theCDE and CHD.

In addition, use automated tools that can help you search for and find unencrypted CHD. You will be surprised by what you find outside of your CDE. Run these tools often to ensure data is where it should be.

The more data you keep ,the higher the risk.

PCI DSS v4.0 Considerations for Requirement 3

As noted above in the PCI DSS v.4.0 summary, Requirement 3 has a lot of changes. Make sure you understand what elements of cardholder data you are storing and what that means for 4.0.There are some changes to the encryption requirements in 2025.These changes could take a lot of effort, so start now.

Also, review your algorithms and hashing functions as those maybe impacted when moving to PCI DSS v.4.0.

Ben Christensen
Security Analyst

Join Thousands of Security Professionals and Subscribe