Data Backup Login Login
PCI Compliance Login Login
Proof of Breach Insurance Login
Speak to a Transaction Security Advisor 1-800-871-7640

Requirement 3: Protect stored cardholder data.


What It Means
Stockpiles of merchant-held computer data are a treasure trove for sophisticated hackers because of the huge payoff and minimal effort required to steal this data. As a result, requirement 3 requires merchants to:

  • Minimize stored data (type of data and amount) and never store sensitive information such as PINs or verification codes.
  • Ensure that primary account numbers (PANS) are never displayed or printed unnecessarily, such as on receipts or in payment applications.
  • Make certain that measures are taken to prevent outsiders from accessing sensitive cardholder data whenever it is stored. The focus of this requirement is encryption, the most standard way to protecting stored data, as well as the storage of the last four digits of account numbers.

Action Steps
The challenges of this requirement can be overwhelming to merchants. Each merchant must ask, “How much potential business disruption will come with reducing data storage and encrypting the data? What processes would need to change? Does my business use stored cardholder data for customer relationship management or simply for managing chargebacks?” It’s not simply about technology; it’s about how technology impacts business operations.

The first step for merchants is to analyze their own systems so they know where they stand. Merchants must investigate where their systems might be storing cardholder data, if their payment applications or devices are certified, and if there’s even a remote change that systems can be misconfigured to store data without their knowledge.

The next step is to reduce the volume of stored data to the absolute minimum. Consider this: losing 2,000 credit card numbers is not good, but it’s far better than losing 20,000 numbers. Once that reduction is made, merchants must consider using encryption or a comparable technology to protect the remaining data.

Fortunately, Compliance Services can help you find a widely used encryption solution that fits your specific business requirements and use it in the recommended way with an eye toward the procedural as well as the technical requirements.



Requirement 1
Requirement 2

Home | Contact Us | Privacy Policy | Terms and Conditions   © 2010 Data Compliance Services  1-800-871-7640
Compliance Services is a Registered MSP/ISO of US Bank Minneapolis, MN