Skip to main content

💼 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.

  • ID: /frameworks/pci-dss-v3.2.1/03/04/01

Description

Decryption keys must not be associated with user accounts.

This requirement applies in addition to all other PCI DSS encryption and key-management requirements.

Similar

  • Sections
    • /frameworks/pci-dss-v4.0/03/05/01/03
  • Internal
    • ID: dec-c-fe88d76c

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 PCI DSS v4.0 → 💼 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 PCI DSS v4.0 → 💼 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance

Policies (12)

PolicyLogic CountFlagsCompliance
🛡️ AWS Account EBS Volume Encryption Attribute is not enabled in all regions🟢1🟢 x6no data
🛡️ AWS EFS File System encryption is not enabled🟢1🟢 x6no data
🛡️ AWS RDS Instance Encryption is not enabled🟢1🟢 x6no data
🛡️ Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key🟢1🟢 x6no data
🛡️ Azure Storage Account With Critical Data is not encrypted with customer managed key🟢⚪🟢 x2, ⚪ x1no data
🛡️ Azure Unattached Managed Disk is not encrypted with Customer-managed key🟢1🟢 x6no data
🛡️ Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key🟢1🟢 x6no data
🛡️ Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK)🟢1🟢 x6no data
🛡️ Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK)🟢1🟢 x6no data
🛡️ Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key🟢1🟢 x6no data
🛡️ Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK)🟢1🟢 x6no data
🛡️ Google GCE Instance Confidential Compute is not enabled🟢1🟢 x6no data

Internal Rules

RulePoliciesFlags
✉️ dec-x-0bdcd2761
✉️ dec-x-5c3c20671
✉️ dec-x-6ba5ecd21
✉️ dec-x-9cdb74071
✉️ dec-x-966d31831
✉️ dec-x-aef11ebd1
✉️ dec-x-f63fd4f01