PCI Readiness Series: PCI Requirements 3 and 4

by KirkpatrickPrice / June 4th, 2015

This session in our PCI Readiness Series focuses on PCI DSS Requirements 3 and 4, which focus on encryption and protecting cardholder data. PCI Requirement 3 states, “Protect stored cardholder data.” PCI Requirement 4 states, “Encrypt transmission of cardholder data across open, public networks.”

What is Requirement 3?

PCI Requirement 3 gives organizations an opportunity to consider which retained data is required and which is becoming a liability for your organization. So how do you protect the stored cardholder data that is vital to your business? In this webinar, we will discuss the following sub-requirements:

Requirement 3.1 – Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes.

Requirement 3.2 – Do no store sensitive authentication data after authorization (even in encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.

Requirement 3.3 – Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.

Requirement 3.4 – Render PAN unreadable anywhere it is stored (including on portable, digital media, backup media, and in logs).

Requirement 3.5 – Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.

Requirement 3.6 – Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.

Requirement 3.7 – Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.

What is Requirement 4?

The culture we live in revolves around satellite technology, cell phones/GSM, Bluetooth, laptops, wireless Internet, and more. We may consider these things private, but the PCI DSS deems them to be public. PCI Requirement 4 helps prevent organizations from being a target of malicious individuals who exploit vulnerabilities in misconfigured or weakened wireless networks. To comply with PCI Requirement 4, sensitive data that your organization transmits over open, public networks must be encrypted. In this webinar, we will discuss the follow sub-requirements:

Requirement 4.1 – Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.

Requirement 4.2 – Never send unprotected PANs by end-user messaging technologies.

Requirement 4.3 – Ensure that security policies and operational procedures for encrypting transmission of cardholder data are documented, in use, and known to all affected parties.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.