| ๐ผ 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies. | | | | |
| ๐ผ 3.2 Do not store sensitive authentication data after authorization (even if encrypted). | 3 | | | |
| ย ย ย ย ๐ผ 3.2.1 Do not store the full contents of any track after authorization. | | | | |
| ย ย ย ย ๐ผ 3.2.2 Do not store the card verification code or value after authorization. | | | | |
| ย ย ย ย ๐ผ 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization. | | | | |
| ๐ผ 3.3 Mask PAN when displayed, such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN. | | | | |
| ๐ผ 3.4 Render PAN unreadable anywhere it is stored. | 1 | | | |
| ย ย ย ย ๐ผ 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms. | | 7 | 7 | |
| ๐ผ 3.5 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse. | 4 | | | |
| ย ย ย ย ๐ผ 3.5.1 Maintain a documented description of the cryptographic architecture | | | | |
| ย ย ย ย ๐ผ 3.5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary. | | | | |
| ย ย ย ย ๐ผ 3.5.3 Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the described forms at all times. | | | | |
| ย ย ย ย ๐ผ 3.5.4 Store cryptographic keys in the fewest possible locations. | | | | |
| ๐ผ 3.6 Fully document and implement all keymanagement processes and procedures for cryptographic keys used for encryption of cardholder data. | 8 | | | |
| ย ย ย ย ๐ผ 3.6.1 Generation of strong cryptographic keys. | | | | |
| ย ย ย ย ๐ผ 3.6.2 Secure cryptographic key distribution. | | | | |
| ย ย ย ย ๐ผ 3.6.3 Secure cryptographic key storage. | | | | |
| ย ย ย ย ๐ผ 3.6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner, and based on industry best practices and guidelines. | | | | |
| ย ย ย ย ๐ผ 3.6.5 Retirement or replacement of keys as deemed necessary when the integrity of the key has been weakened, or keys are suspected of being compromised. | | | | |
| ย ย ย ย ๐ผ 3.6.6 If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control. | | | | |
| ย ย ย ย ๐ผ 3.6.7 Prevention of unauthorized substitution of cryptographic keys. | | | | |
| ย ย ย ย ๐ผ 3.6.8 Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities. | | | | |
| ๐ผ 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. | | | | |