TABLE OF CONTENTS
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 3: Protect stored cardholder data
Cardholder data should never be stored unless necessary. Sensitive data must never be stored after authorization.
- What is involved with this requirement?
- The limitation of cardholder data storage and retention time used for business, legal, and/or regulatory purposes. All other data should be purged
- Sensitive authentication data (even if it is encrypted) should never be stored. See table below.
- All sensitive data should be rendered unrecoverable upon completion.
- Mask PAN when displayed to only show either first six or last four digits of the PAN.
- Render PAN in all storage locations
- portable digital media
- backup media
- log files
- data received from wireless sources
- Technology solutions for PAN may include strong one-way has functions for the following with securely stored pads or strong cryptography.:
- Entire PAN
- Truncation
- Index tokens
- Document and implement procedures to protect any keys used for the encryption of cardholder data from disclosure or misuse.
- Full documentation and implementation of key management processes and procedures for cryptographic keys used for encryption of card holder data.
- Ensure that related securities policies and operational procedures are documented, in use, and known to all affected parties.
| Data Element | Storage Permitted | Render Stored Data Unreadable | |
| Cardholder Data | Prime Account Number (PAN) | Yes | Yes |
| Cardholder Name | Yes | No | |
| Service Code | Yes | No | |
| Expiration Date | Yes | No | |
| Sensitive Authentication Data | Full Track Data | No | Cannot be stored per Requirements. |
| CAV2/CVC2/CVV2/CID | No | Cannot be stored per Requirements. | |
| PIN/PIN Block | No | Cannot be stored per Requirements. |
Back to top
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Criminals may be able to intercept transmissions of the customer data over open, public networks. Encryption is one of the many ways to render transmitted data to be unreadable by unauthorized persons.
- What is involved in this requirement?
- Use strong cryptography and security protocols to protect sensitive cardholder data during the transmission of data over open, public networks. Ensuring wireless networks transmissions using industry standard practices to implement strong encryption for authentication and transmission
- Never send unprotected PANs by end user messaging technologies.
- Examples
- instant messaging sms
- chat
- Examples
- Ensure that related security policies and operational procedures are documented, in use, and known to all parties.
Additional Resources and Help!
Still have questions? Please contact us any time at support@ezsoftpos.com.
NOTE: If emailing, please include your business name in the subject line of the email
and provide your preferred contact information for the best response time.
Visit our help center Help Center for more guides and tutorials