Site icon

What Are Encryption Requirements for PCI DSS?

pci dss encryption featured

The newest version of PCI DSS (4.0) is out, and companies are asking about the new requirements. Some of these requirements apply to PCI DSS encryption, and while there are changes, many of the standards of 3.2.1 are still the lay of the land. 

Learn more about PCI DSS encryption and how it’s shifting in version 4.0.

 

What Is Encryption?

Encryption is the obfuscation of data using codes, ciphers, and other techniques to render that unreadable data outside of authorized or expected users. First invented (as far as historians know) in different forms in both Ancient Egypt and Rome, encryption was a way for military and political leaders to share information in messages such that outside eyes could not view it. 

In later history, an Arab mathematician Al-Kindi discovered how to use statistics and frequency analysis to attempt to crack ciphers. And thus, modern cryptography and countermeasures first became a reality. 

In modern culture, encryption is part of our daily lives. Online commerce, banking, and communications all rely on some sort of encryption. Early military applications of DES encryption were limited to military and international government communications, but industrial lawsuits against the government (both in support of private security and the potential for backdoors in existing encryption) led to the opening up of government-grade encryption for public use. 

These days, we use encryption for nearly every form of communication in some way:

For modern security practices, encryption is a necessary technology. Unsurprisingly, most security frameworks and regulations include forms of encryption as part of their requirements. PCI DSS is no different.

 

Encryption Standards for PCI DSS version 3.2.1

While PCI DSS 4.0 has been released, it hasn’t yet been fully implemented. That means that the current version (v. 3.2.1) is still the primary standard for PCI DSS compliance (outside of a handful of specific changes that auditors expect in all-new version 4.0 assessments). 

In the PCI standard, encryption generally falls under two of the 12 total requirements:

 

PCI Requirement 3

This requirement dictates that compliant processors must securely store cardholder data if and only if they store it. That is, if the company isn’t storing the plaintext personal information of a cardholder (Primary Account Number or PAN, address, phone number, etc.). 

Some of the primary sub-requirements under Requirement 3 include:

 

PCI Requirement 4

Requirement four dictates that all cardholder data must be encrypted during transmission over public networks. This is slightly more applicable to processors because while some companies may not store credit data, all processors will likely transmit it (if for no other reason than verification). 

Some of the primary sub-requirements under Requirement 4 include:

In the context of PCI DSS, “strong encryption” includes the following methods:

Additionally, there are several encryption practices they must implement outside of serial data obfuscating:

 

Encryption Standards for PCI DSS version 4.0

The encryption standards for version 4.0 aren’t radically different as of yet, and this isn’t unexpected. As these standards evolve, revisions to 4.0 will introduce new requirements as needed. 

However, there are several new definitions and approaches introduced:

 

PCI DSS Encryption and Continuum GRC

Managing encryption is relatively straightforward on paper but requires a complete understanding of your PCI DSS exposure. Rather than relying on ad hoc data inventory and encryption implementation, rely on risk and compliance-based platform that can support your comprehensive efforts in meeting PCI DSS encryption requirements. 

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]

Exit mobile version