Summary of PCI DSS Requirements 3

Keep Cardholder Storage to a Minimum
As part of your development of policies, you will establish a data retention policy. This is a crucial piece of an information assurance plan.There is no need to store sensitive data longer than business, legal, and regulatory requirements dictate.

Do Not Store Sensitive Authentication Data Subsequent to Authorization
Once a transaction has been authorized or “cleared,” there is no justification for storing any of the following sensitive data:
- Full contents of any track from the magnetic stripe on the back of the card
- Card verification code
- PIN
- PIN block (encrypted pin block)

Mask the PAN When Displayed
The first six digits and the last four digits are the maximum that can be displayed. (Point of Sale restriction may be more demanding that this standard.) This is focused on the storage, retrieval, and display of the number.

Render PAN (at Minimum) Unreadable Anywhere it is Stored
This requirement is most easily achieved by encryption. But other methods are allowed, such as a one-way hash, truncating, and padding.

Protect Encryption Keys Used for Encryption of Cardholder Data Against Both Disclosure and Misuse
PCI DSS details 12 different items for the proper management of encryption keys. These will not be detailed here other than to point out that this is again something that would be included in your policies.They include processes, procedures, and who the custodian of these keys would be.The management of encryption keys is probably the most resource-intensive aspect of encryption. Some methods of encryption make this simpler than others. Consider this aspect and make sure you ask the right questions of potential vendors when considering your encryption solution(s).