-
This requirement covers the protection of stored cardholder data (CHD) and sensitive authentication data (SAD). All stored data must be protected using appropriate methods and must be securely deleted once it is no longer needed.
Requirement 3: Protect stored account data
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- The State of Compliance
- Requirement 1 Install and Maintain Network Security Controls
- Requirement 2 Apply Secure Configurations to all System Components
- Requirement 3 Protect Stored Account Data
- Requirement 4 Protect Cardholder Data with Strong Cryptography
- Requirement 5 Protect All Systems and Networks from Malicious Software
- Requirement 6 Develop and Maintain Secure Systems and Software
- Requirement 7 Restrict Access to System Components
- Requirement 8 Identify Users and Authenticate Access
- Requirement 9 Restrict Physical Access to Cardholder Data
- Requirement 10 Log and Monitor System Components and Cardholder Data
- Requirement 11 Test Security of Systems and Networks Regularly
- Requirement 12 Support Information Security with Organizational Policies and Programs
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
Figure 10. Global state of PCI DSS compliance: Requirement 3
-
Full compliance: At 84.4% global average, this requirement shows good improvement and ranked fourth overall on full compliance. It’s the first time in over five years that full compliance with Requirement 3 exceeds 80%.
Control gap: The gap narrowed significantly, resulting in the third-lowest control gap overall—a very positive development. The reduction in control gap is mainly due to significant improvements in Control 3.4 and Control 3.2.2.
Compensating controls: The use of compensating controls under Requirement 3 declined significantly—by nearly half—from 5.6% down to a low 2.6%. While this is the lowest use since at least 2015, it still ranked the fourth highest use of compensating controls across the 12 Key Requirements.
-
Figure 11. Requirement 2 control performance
-
-
A tip on sustainable control effectiveness
It’s smart to automate payment transaction data discovery, using appropriate tools to execute. Consistently apply it on the correct scope to avoid accidental exclusions. Report the actual performance of data retention. Enforce continuous improvement on the consistency, so that staff diligently follow these policies and procedures.
-
Requirement 3: Protect stored account data
The goal
The goal of PCI DSS Key Requirement 3 is to develop, execute and maintain a sustainable capability for the ongoing effective, reliable and sustainable protection of all stored account data across the control environment, keep the storage of account data to a minimum and prevent the storage of SAD post-authorization unless needed for card-issuing functions.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.Goal applicability and scope considerations
- The goal applies to the storage of all PCI-branded cardholder data (CHD) and/or SAD in electronic and hardcopy formats and related system components
- It applies to data at rest in all storage locations (servers, databases, storage arrays or areas, removable disks, CDs), and includes storage in nonvolatile memory (disks and storage chips)
- The scope includes the management of responsibilities of any third parties involved in the transmission, storage and processing of account data
Goal requirements:
Some of the primary conditions necessary to achieve the goal
- Capability—scope control: The ability to effectively and continuously manage the CDE scope by identifying, tracking, recording and reporting all CHD storage, processing and transmission locations across the CDE, and rapid detection and response to any unintentional storage of account data outside the defined CDE
- Capability—maintaining minimal data retention: Monitor, record and report data storage retention periods of account data, with documented business justifications for each retention period or duration
- Capability—data removal: Effectively and timely secure permanent deletion or destruction of all account data that lacks a valid business justification for the retention of the data
- Capability—data protection: Effectively and continuously protect all stored CHD in a sustainable manner with approved mechanisms (masking, truncation, tokenization, encryption with secure cryptographic keys management)
- Third parties: Manage contractually (by stipulating data protection and incident response responsibilities) any account data received or shared with third parties that is not under the direct control of your organization
- Documentation and processes: Maintain effective standard operating procedures, with clearly articulated standards, roles and responsibilities. Regularly train and educate staff on how to follow the documented procedures. Frequently monitor and report adherence to procedures
Strong dependencies and integration with other key requirements
- Requirement 6: Integration with system-hardening requirements
- Requirements 7 & 8: Secure authentication and access control to components that store CHD
- Requirement 10: Logging and monitoring of components that store CHD and related security systems
- Requirement 11: The testing of components that store CHD and related security systems
- Requirement 12: Ongoing contractual management of third-party data security responsibilities
Short-term objectives
- Scope: Develop and execute a process to accurately map and communicate the entire scope of the CDE
- Automation: Perform ongoing data discovery with the use of data loss prevention (DLP) tools to effectively detect and report the presence of account data within and outside the defined CDE, and timely correction (inclusion) of in-scope components
- Minimal data retention: Maintain a process for the secure and permanent deletion or destruction of account data that is not needed
- Data protection: Frequently measure and report the effectiveness of all stored CHD protection procedures
Long-term objectives
- Performance management: Develop the ability for the ongoing measurement, reporting and improvement of CHD protection performance, including the frequency and duration of deviation from established CHD security policies, standards and procedures and the ability to communicate its impact on the effective and sustainable protection of stored CHD
- Maturity: Achieve and maintain high-capability maturity and performance on the protection of stored CHD. Improve and refine support processes, automation, documentation and training
Common constraints
- Capability: Difficulty locating account data across the CDE; lack of capacity and automation
- Competency: Improper understanding of cryptography and key-management procedures. Not demonstrating the consistent and effective use of cryptographic solutions to protect stored CHD. Limited overview around maintaining cryptographic architecture and infrastructure