Skip to main content

💼 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.

  • Contextual name: 💼 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.

  • ID: /frameworks/pci-dss-v3.2.1/03/04/01

  • Located in: 💼 3.4 Render PAN unreadable anywhere it is stored.

Description

Decryption keys must not be associated with user accounts.

This requirement applies in addition to all other PCI DSS encryption and key-management requirements.

Similar

  • Sections
    • /frameworks/pci-dss-v4.0/03/05/01/03
  • Internal
    • ID: dec-c-fe88d76c

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlags
💼 PCI DSS v4.0 → 💼 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlags
💼 PCI DSS v4.0 → 💼 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlags

Policies (12)

PolicyLogic CountFlags
📝 AWS Account EBS Volume Encryption Attribute is not enabled in all regions 🟢1🟢 x6
📝 AWS EFS File System encryption is not enabled 🟢1🟢 x6
📝 AWS RDS Instance Encryption is not enabled 🟢1🟢 x6
📝 Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key 🟢1🟢 x6
📝 Azure Storage Account With Critical Data is not encrypted with customer managed key 🟢🟢 x3
📝 Azure Unattached Managed Disk is not encrypted with Customer-managed key 🟢1🟢 x6
📝 Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key 🟢1🟢 x6
📝 Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢1🟢 x6
📝 Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢1🟢 x6
📝 Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key 🟢1🟢 x6
📝 Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK) 🟢1🟢 x6
📝 Google GCE Instance Confidential Compute is not enabled 🟢1🟢 x6

Internal Rules

RulePoliciesFlags
✉️ dec-x-0bdcd2761
✉️ dec-x-5c3c20671
✉️ dec-x-6ba5ecd21
✉️ dec-x-9cdb74071
✉️ dec-x-966d31831
✉️ dec-x-aef11ebd1
✉️ dec-x-f63fd4f01