PCI Data in storage encryption ?Information Assurance, Governance, Risk and Compliance

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Information Assurance, Governance, Risk and Compliance PCI Data in storage encryption ?

This topic contains 1 reply, has 2 voices, and was last updated by  cisatrainee1 3 years, 4 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #90824


    Hi All,

    Reviewing the PCI standard as I have been working on this since a while now. I have a question here as it is not clear in the training and online documentation :
    What about cardholders information storage? Does Encryption at rest mandatory or not?
    I completely agree and understand the best practices around it ( encryption, scrambling/anonymisation, strict access, etc), but is it actually _required_ to encrypt, or if very strict access is enough according to the standard?

    Thanks for any advices 🙂



    This is the best way to break it down:

    Account Data is comprised of:

    Cardholder Data – Primary Account Number (PAN), cardholder name, service code, expiration date
    Sensitive Authentication Data – Full Track Data, CAV2/CVC2/CVV2/CID, PIN/PIN Block

    Concerning the Cardholder Data, per PCI-DSS 3.2 – Requirement 3.4 – for Cardholder Data, only the PAN requires to rendered unreadable. So the PAN would be needed to be encrypted at rest in this circumstance. Do note how the PCI council interprets how the PAN should be unreadable in the notes on 3.4, concerning hashes, truncation, tokens, and cryptography.

    When it comes to Sensitive Authentication Data, it must not be stored after authorization even if it is encrypted, per Requirement 3.2. The exception to this rule is only for Issuers, that they can store it securely as long as:

    There is a business justification for it and,
    The data is stored securely

    This can be all found under Requirement 3

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?