Storage Permitted | Storage Permitted | Render Stored Data Unreadable per Requirement 3.4 | |
---|---|---|---|
Cardholder Data | Primary Account Number (PAN) | Yes | Yes |
Cardholder Name | Yes | No | |
Service Code | Yes | No | |
Expiration Date | Yes | No | |
Sensitive Authentication Data | Full Track Data | No | Cannot store per Requirement 3.2 |
CAV2/CVC2/CVV2/CID | No | Cannot store per Requirement 3.2 | |
PIN/PIN Block | No | Cannot store per Requirement 3.2 |
PCI DSS Requirements 3.3 and 3.4 apply only to PAN. If PAN is stored with other elements of cardholder data, only the PAN must be rendered unreadable according to PCI DSS Requirement 3.4.
Sensitive authentication data must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment. Organizations should contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorization, for how long, and any related usage and protection requirements
Requirement 10: Track and monitor all access to network resources and cardholder data
Implement audit trails to link all access to system components to each individual user
Implement automated audit trails for all system components to reconstruct the following events:
Record at least the following audit trail entries for all system components for each event:
2 Type of event
Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time
Review logs and security events for all system components to identify anomalies or suspicious activity
i. All security events
ii. Logs of all system components that store, process, or transmit CHD and/or SAD
iii. Logs of all critical system components
iv. Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)
Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)
Additional requirement for service providers only:
Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
i. Firewalls
ii. IDS/IPS
iii. FIM
iv. Anti-virus
v. Physical access controls
vi. Logical access controls
vii. Audit logging mechanisms
vii. Segmentation controls (if used)
Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:
i. Restoring security functions
ii. Identifying and documenting the duration (date and time start to end) of the security failure
iii. Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
iv. Identifying and addressing any security issues that arose during the failure
v. Performing a risk assessment to determine whether further actions are required as a result of the security failure
vi. Implementing controls to prevent cause of failure from reoccurring
vii. Resuming monitoring of security controls
Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties