Site icon

Timeline for PCI DSS 4.0: The Third Requirement and Protecting Stored Data

PCI DSS 4.0 req. 3 featured

While having only 12 requirements might make PCI DSS seem like a simple standard, each requirement is incredibly important and, if you aren’t paying attention, can specify practices you aren’t implementing. In the case of the third requirement, this could mean that you’re not actually protecting the most critical data that is in your possession–that is, the private and financial information of your customers. 

Therefore, if you want to avoid scandal, fraud, and the loss of your customers’ trust, you must follow the third PCI DSS requirement. With the continued launch of PCI DSS 4.0, we’re now moving on to a discussion of the third PCI DSS requirement.

 

What Does it Mean to Protect Stored Data in PCI DSS?

“Stored” data is any data that is considered to be “at rest.” Any data saved in a hard drive, cloud storage system, removable media, or mobile device. 

This is an important distinction from protecting data transmitted (or “in transit”) because stored data is positioned in a way where malicious or accidental breaches can occur. 

 

What Are Common Threats to Stored Data?

Because stored data is “stationary” or available (ideally only to authorized users), it remains vulnerable without the proper safeguards. 

Some of the most common threats to data at rest include:

 

What Is the Third Requirement for PCI DSS 4.0?

The third requirement of PCI DSS is explicitly focused on protecting stored data at rest. To address the potential threats and vulnerabilities to consumer data stored in enterprise systems, this requirement includes provisions on proper data handling, data obfuscation, and the retention and deletion of data. 

These practices are perhaps some of the most important for risk assessment and management, as they require your organization to fully understand the full extent of the need for processing cardholder information, what systems will process and hold that information, and how to eliminate it extraneous data storage.

 

3.1 – Processes and Mechanisms for Protecting Stored Account Data

 

3.2 – Storage of Account Data 

 

3.3 – Sensitive Authentication Data (SAD)

 

3.4 – Restriction to Primary Account Numbers 

 

3.5 – Secure PAN Storage

 

3.6 – Securing Cryptographic Keys

Your organization must secure cryptographic keys against disclosure. This includes using least-privilege principles for crucial access, utilizing encryption keys that are at least as strong as the encryption they protect, storing key-encryption keys and data-encryption keys in different locations, and minimizing the locations where keys are stored. 

 

3.7 – PCI DSS Cryptographic Key Lifecycle Management

 

Prepare for PCI DSS 4.0 with Lazarus Alliance

As we dig into the requirements of PCI DSS, you will see the increasing complexity and interoperability of the different technologies, policies, and practices you’ll need to deploy to receive PCI verification and maintain compliance. These practices aren’t just to complete a checklist. However–they are tried-and-true security practices that will help support your security efforts ten years from now.

 

Are You Thinking Ahead for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

[wpforms id=”137574″]

Exit mobile version