3 — Protect Stored Account Data
19 requirements in the Protect Stored Account Data requirement
3.1.1All security policies and operational procedures that are identified in Requirement 3 are: Documented.
3.1.2Roles and responsibilities for performing activities in Requirement 3 are documented, assigned, and understood.
3.2.1Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: Coverage for all locations of stored account data.
3.3.1SAD is not stored after authorization, even if encrypted.
3.3.2SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.
3.3.3Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is: Limited to that which is needed for a legitimate issuing business need and is secured.
3.4.1PAN is masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN.
3.4.2When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need.
3.5.1PAN is rendered unreadable anywhere it is stored by using any of the following approaches: One-way hashes based on strong cryptography of the entire PAN.
3.6.1Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: Access to keys is restricted to the fewest number of custodians necessary.
3.7.1Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data.
3.7.2Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data.
3.7.3Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data.
3.7.4Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner, and based on industry best practices and guidelines, including the following: A defined cryptoperiod for each key type in use.
3.7.5Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: The key has reached the end of its defined cryptoperiod.
3.7.6Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented including managing these operations using split knowledge and dual control.
3.7.7Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys.
3.7.8Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities.
3.7.9Additional requirement for service providers only: Where a service provider shares cryptographic keys with its customers for transmission or storage of account data, guidance on secure transmission, storage and updating of such keys is documented and distributed to the service provider's customers.