1. Home
2. Listings
3. PCI DSS Requirement 3

Category: PCI DSS Requirement 3

Protect Stored Account Data

 Account data protection relies heavily on safeguards like encryption, truncation, masking, and hashing (one-way encryption). Without the appropriate cryptographic keys, encrypted account data can’t be read or used by an attacker who subverts other security measures and successfully gains access to it, typically with malicious intent. As potential risk-mitigation opportunities, additional efficient methods of protecting stored data should also be taken into consideration. Examples of further risk mitigation include: avoiding sending unprotected Primary Account Numbers (PANs) via end-user messaging technologies like e-mail and instant messaging, and truncating cardholder data if a full PAN is not required.

Encrypting account data is not necessary if it is stored in non-persistent memory, such as RAM or volatile memory. To keep memory in a non-persistent state, however, proper controls must be in place as access to these critical systems may allow attackers to dump the contents of memory potentially containing cleartext sensitive cardholder data. When the business purpose (for example, the associated transaction) has concluded, sensitive data should be removed from volatile memory.

All applicable PCI DSS Requirements, including encryption of stored data, will apply if data storage becomes persistent. i.e. stored at rest.