PCI Requirement 3 - Don't Store Cardholder Data!!

Derek Morris
Mar 19, 2018 1:58:05 PM


This is the third blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through the process of becoming or maintaining compliance with the PCI Data Security Standards. Click here for our blog posts on requirement 1 and requirement 2.  

PCI Requirement 3 - Protect Cardholder Data!!!

Requirement 3 is a slippery slope. Its focus is around protecting the cardholder data (CHD) you may store. This presents challenges to the business if they choose to store CHD. The simple way to comply with this requirement is DO NOT STORE CARDHOLDER DATA!! We will get to some solutions on how to avoid storing cardholder data to mitigate your risk, but if you must store this data, here are 3 tips on how to navigate this requirement:

  1. Data classification is commonly overlooked but vitally important. How do you know how to protect what you don’t know you have?? Compass can assist your company in creating the policies, procedures and help identify your sensitive data especially card holder data.
  2. Encryption of cardholder data and the management of the encryption keys. This is a tough one to manage. There are so many moving parts to encryption key management, there are numerous PCI controls that cover this area and can present a possible failure for your PCI compliance. Easy fix is DO NOT STORE CARDHOLDER DATA!!
  3. Maintenance involved in the encryption processes. By storing CHD and having to encrypt that data it creates this cryptography element to your environment and procedures that requires ongoing monitoring and maintenance that may seem like busy work but is very critical.

As we mentioned earlier, there are numerous ways to avoid storing cardholder data in this day in age. A couple of examples that you could use include:

  • Businesses could use an outsourced system designed with processing credit card transactions.
  • A PCI Council approved Point to Point Encrypted (P2PE) solution is also a great way to avoid the storing of CHD. These solutions have major benefits like shrinking the scope of your PCI environment, thus leading to possible cost savings and reducing compliance risk.

Compass is well versed in the PCI compliance space and can help your company assess what specifically you must do to comply with the latest version of the PCI Data Security Standards. If you are already PCI compliant or want to see what is required on a quarterly, semi-annual, and annual basis for PCI Compliance, we have created a PCI Checklist to help. We have created one for service providers and one for merchants as the requirements for each are a little different. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement in PDF format that you can check off as you complete them. One note: This checklist is a tool to assist you with keeping track of your PCI Compliance initiatives, not a magic document that means you will automatically be (or become) PCI compliant!

To download your copy today, click on the button below:

New Call-to-action

You May Also Like

These Stories on PCI Compliance

Subscribe by Email

No Comments Yet

Let us know what you think