3.3.1—SAD is not stored after authorization, even if encrypted.
>Requirement Description
SAD is not stored after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process Applicability Notes Issuers and companies that support issuing services, where there is a legitimate and documented business need to store SAD, are not required to meet this requirement. A legitimate business need is one that is necessary for the performance of the function being provided by or for the issuer. Refer to Requirement 3.3.3 for additional requirements specifically for these entities. Sensitive authentication data includes the data cited in Requirements 3.3.1.1 through 3.3.1.3.
>Cross-Framework Mappings
NIST CSF 2.0
via NIST OLIR CatalogAsk AI
Configure your API key to use AI features.