Learn how to fulfill PCI Requirement 3
Encrypt stored card data
Protect encryption keys
Not only must card data be protected to comply with PCI requirement 3, but also the encryption keys must be protected. Leaving encryption keys unprotected is like storing your house key by leaving it in your front door lock, so it’s critical to use a solid PCI DSS encryption key management process.
Find stored card data
PCI DSS 3.2 Requirement 1.1.3 requires a current diagram for all card data flows in your organization. A card data flow diagram is a graphical representation of how card data moves through an organization. As you define your environment, ask all organizations and departments if they receive cardholder information, and determine how their answers may change your current understanding of your organization’s card data flows.
- What device(s) am I using for transactions? A virtual terminal? POS system?
- What happens to the card data after a transaction?
- Is data encrypted? If so, when is it encrypted? Is encryption managed internally or by a third party?
- Do I store card data after it’s sent to the processor for approval? Do my logs inadvertently store card data held in memory? Do manual processes allow card data storage in notes fields or other unprotected locations?
- When does authorization occur? Real-time or end-of-day?
- When a transaction is authorized, what cardholder data is returned by the processor? Is it encrypted? Tokenized?
- Is card data backed up on my system? Are backups encrypted? Is my backup server at a different location? Does that location meet PCI DSS requirements?
- Where might card data be transmitted or stored in processes not part of authorization?
Assign the responsibility of keeping unencrypted card data off your systems to an individual or team. Have them define and follow a process of periodic data discovery cycles to recheck and ensure systems remain clean of unencrypted card information.
SEE ALSO: How Much Credit Card Data do You Store? (It’s More Than You Think.)
Additional tipsHere are a few more things to think about while fulfilling Requirement 3:
- Reduce your PCI scope: The less you have to secure, the better. Streamline your card data flows and make sure you’re only storing what’s necessary
- Segment networks: While not required by the PCI DSS, network segmentation keeps your cardholder data environment separate from the rest of your network, reducing risk
- Place an individual in charge of PCI compliance: Becoming compliant can take time and effort. Establishing responsibility for PCI compliance can reduce confusion and increase accountability
Need help with PCI compliance? Talk to us!
Jen Stone (MSCIS, CISSP, QSA) is a Senior Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.