| ๐ผ 3.1 Processes and mechanisms for protecting stored account data are defined and understood. | 2 | | | |
| ย ย ย ย ๐ผ 3.1.1 All security policies and operational procedures identified in Requirement 3 are documented, kept up to date, in use, and known to all affected parties. | | | | |
| ย ย ย ย ๐ผ 3.1.2 Roles and responsibilities for performing activities in Requirement 3 are documented, assigned, and understood. | | | | |
| ๐ผ 3.2 Storage of account data is kept to a minimum. | 1 | | | |
| ย ย ย ย ๐ผ 3.2.1 Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes. | | | | |
| ๐ผ 3.3 Sensitive authentication data (SAD) is not stored after authorization. | 3 | | | |
| ย ย ย ย ๐ผ 3.3.1 SAD is not retained after authorization, even if encrypted. | 3 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 3.3.1.1 The full contents of any track are not stored upon completion of the authorization process. | | | | |
| ย ย ย ย ย ย ย ย ๐ผ 3.3.1.2 The card verification code is not stored upon completion of the authorization process. | | | | |
| ย ย ย ย ย ย ย ย ๐ผ 3.3.1.3 The personal identification number (PIN) and the PIN block are not stored upon completion of the authorization process. | | | | |
| ย ย ย ย ๐ผ 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography. | | | | |
| ย ย ย ย ๐ผ 3.3.3 Any storage of sensitive authentication data is limited to that which is needed for a legitimate issuing business need, is secured and encrypted using strong cryptography. | | | | |
| ๐ผ 3.4 Access to displays of full PAN and ability to copy cardholder data are restricted. | 2 | | | |
| ย ย ย ย ๐ผ 3.4.1 PAN is masked when displayed, such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN. | | | | |
| ย ย ย ย ๐ผ 3.4.2 When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need. | | | | |
| ๐ผ 3.5 Primary account number (PAN) is secured wherever it is stored. | 1 | | | |
| ย ย ย ย ๐ผ 3.5.1 PAN is rendered unreadable anywhere it is stored. | 3 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 3.5.1.1 Hashes used to render PAN unreadable are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures. | | | | |
| ย ย ย ย ย ย ย ย ๐ผ 3.5.1.2 If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable. | | | | |
| ย ย ย ย ย ย ย ย ๐ผ 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable. | | | 7 | |
| ๐ผ 3.6 Cryptographic keys used to protect stored account data are secured. | 1 | | | |
| ย ย ย ย ๐ผ 3.6.1 Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse. | 3 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 3.6.1.1 A documented description of the cryptographic architecture is maintained. | | | | |
| ย ย ย ย ย ย ย ย ๐ผ 3.6.1.2 Secret and private keys used to encrypt/decrypt stored account data are stored in one (or more) of the described forms at all times. | | | | |
| ย ย ย ย ย ย ย ย ๐ผ 3.6.1.3 Access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary. | | | | |
| ๐ผ 3.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. | 9 | | | |
| ย ย ย ย ๐ผ 3.7.1 Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data. | | | | |
| ย ย ย ย ๐ผ 3.7.2 Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data. | | | | |
| ย ย ย ย ๐ผ 3.7.3 Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data. | | | | |
| ย ย ย ย ๐ผ 3.7.4 Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod. | | | | |
| ย ย ย ย ๐ผ 3.7.5 Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data. | | | | |
| ย ย ย ย ๐ผ 3.7.6 Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented include managing these operations using split knowledge and dual control. | | | | |
| ย ย ย ย ๐ผ 3.7.7 Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys. | | | | |
| ย ย ย ย ๐ผ 3.7.8 Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities. | | | | |
| ย ย ย ย ๐ผ 3.7.9 Where a service provider shares cryptographic keys with its customers for transmission or storage of account data, guidance on secure transmission, storage and updating of such keys is documented and distributed to the service provider's customers. | | | | |