Storage Permitted | Storage Permitted | Render Stored Data Unreadable per Requirement 3.4 | |
---|---|---|---|
Cardholder Data | Primary Account Number (PAN) | Yes | Yes |
Cardholder Name | Yes | No | |
Service Code | Yes | No | |
Expiration Date | Yes | No | |
Sensitive Authentication Data | Full Track Data | No | Cannot store per Requirement 3.2 |
CAV2/CVC2/CVV2/CID | No | Cannot store per Requirement 3.2 | |
PIN/PIN Block | No | Cannot store per Requirement 3.2 |
PCI DSS Requirements 3.3 and 3.4 apply only to PAN. If PAN is stored with other elements of cardholder data, only the PAN must be rendered unreadable according to PCI DSS Requirement 3.4.
Sensitive authentication data must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment. Organizations should contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorization, for how long, and any related usage and protection requirements
Requirement 11: Regularly test security systems and processes.
Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)
Implement a methodology for penetration testing that includes the following:
Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date
Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly
Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties