PCI DSS Requirement 3


PCI DSS Requirement 3: Protect Stored Cardholder Data


New requirements and subcontrols included in PCI-DSS 3.0 require organisations to place a greater emphasis on security and management of the encryption keys. 


 Requirements Addressed


3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processes.

3.2 Do not store sensitive authentication data after authorisation (even if encrypted).

3.3 Mask primary account number (PAN) when displayed (the first six and last four digits are the maximum number of digits to be displayed).

3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of 
the following approaches: 
- one-way hashes based on strong cryptography (hash must be of the entire PAN); 

 - truncation (hashing cannot be used to replace the truncated segment of PAN); 

 - index tokens and pads (pads must be securely stored); 

 - strong cryptography with associated key-management processes and procedures.
3.5 Protect any keys used to secure cardholder data against disclosure and misuse.

3.5.1 Restrict access to keys to the 
minimum number of people.

3.5.3 Keys must be stored in as few places as possible. 

3.6 Fully document and implement all key management processes and procedures for cryptographic keys used for encryption of cardholder data.

Additional 3.6 subcontrols: mandate that best practices are followed when replacing keys when they reach the end of their life or are compromised, and that those entrusted with managing keys understand and accept their responsibility.


Solution Features


> Encrypt Data At Rest

> Encryption

> Mask PAN’s

> Store and manage the encryption keys separate from the encrypted cardholder data.

> All key management processes and policies are documented for auditing purposes.

> Secure data at rest in Linux.

This includes customer PANs, credit card numbers, and other personally identifiable information.

> Encryption Key Management

Securely store encryption keys with further layers of encryption and making them available to authorised end users and administrators only after strong authentication. Options include username and password authentication with multi-factor options including tokens, smartcards and biometrics.

Provide secure, strong, standards-based processes for key generation, storage, and distribution. Encryption solution is FIPS 140-2 and Common Criteria EAL 3+ certified.

> WAF (Web Application Firewall)

> Application Control
Identifies and stops malicious application activities while allowing only authorised applications. 

> Ensuring hard disks containing encrypted data are securely disposed of via an encryption key-wipe capability.

> Scanning data that’s saved to removable storage. If sensitive data is found, solution warns the end-user, blocks it, or reports it.

> Only allow data to be stored on specific devices or encrypted devices. Custom rules can be created to protect PINs and verification codes.

> Discover and protect to prevent the leakage of sensitive personally identifiable information such as credit card and social security numbers.

> Provide strong encryption of all data stored on laptops, desktops, servers and on portable media.
Encryption keys are managed independently of the operating system access controls.





Contact us today to discuss your requirements in more detail.

P: +44(0)7714 209927

S: +44(0)1273 329753

info@securenetconsulting.co.uk