PCI DSS Encryption Requirements
PCI DSS v4.0 cryptographic mandates for cardholder data protection covering storage encryption, transit encryption, key management, and scope reduction techniques.
Continue your mission
PCI DSS v4.0 cryptographic mandates for cardholder data protection covering storage encryption, transit encryption, key management, and scope reduction techniques.
# PCI DSS Encryption Requirements
Payment Card Industry Data Security Standard (PCI DSS) encryption requirements establish the cryptographic baseline that any organization touching cardholder data must meet. They exist because unprotected payment data is among the most monetized data types on criminal markets, and the financial industry needed a unified technical floor to replace the patchwork of proprietary bank security programs that preceded it. Requirements 3 and 4 of PCI DSS v4.0 define how organizations must protect stored account data and secure cardholder data in transit. Without these controls, card numbers flow through infrastructure in plaintext, get written to logs, cached in memory dumps, and intercepted on networks, turning routine business operations into sustained data exposure events.
---
PCI DSS encryption requirements are the cryptographic mandates within the Payment Card Industry Data Security Standard, governed by the PCI Security Standards Council (PCI SSC). They apply specifically to the protection of account data, which includes the Primary Account Number (PAN), cardholder name, expiration date, service code, and sensitive authentication data (SAD) such as CVV/CVC values, PIN blocks, and full magnetic stripe data.
Requirement 3 governs data at rest. It mandates that any stored PAN be rendered unreadable through strong cryptography (AES-256 or RSA-2048 minimum), one-way salted hashing (SHA-256 or stronger), truncation, or tokenization. Requirement 4 governs data in transit. It requires that PAN transmitted over open or public networks be protected using TLS 1.2 or higher with approved cipher suites.
These requirements are distinct from general data privacy encryption obligations under GDPR or HIPAA. PCI DSS is specifically scoped to payment card data and carries its own audit and enforcement mechanism through Qualified Security Assessors (QSAs) and the card brands (Visa, Mastercard, Amex, Discover). It is not a government regulation but a contractual standard; however, non-compliance can result in fines from acquiring banks and card brand penalties that carry real financial weight.
PCI DSS encryption requirements are not a complete security program on their own. They do not cover encryption of general enterprise data, employee records, or systems outside the cardholder data environment (CDE). They also do not mandate end-to-end encryption in the application layer unless PAN traversal is involved. Tokenization and Point-to-Point Encryption (P2PE) are scope-reduction strategies, not encryption alternatives in the strict sense; they can remove systems from PCI scope entirely, which is a materially different outcome than encrypting data in-scope.
---
The first operational question Requirement 3 forces is whether cardholder data needs to be stored at all. PCI DSS v4.0 maintains the position that sensitive authentication data (CVV, PIN, full magnetic stripe) must never be stored after transaction authorization under any circumstances. If a merchant retains CVV values in a database, even temporarily, that is a direct violation regardless of what encryption is applied.
For PAN storage, the organization must implement one or more of the following controls:
Strong cryptography: AES-256 is the standard implementation for symmetric encryption of stored PANs. The encrypted ciphertext is stored in the database; the encryption key is stored separately, typically in a Hardware Security Module (HSM) or a dedicated key management system. A real-world implementation might look like this: a payment processor stores encrypted PANs in a PostgreSQL table. The encryption key is held in a FIPS 140-2 Level 3 HSM. Application servers call the HSM API at runtime to decrypt only the specific record needed for a transaction, and only for authenticated, authorized sessions. The HSM logs every key use, providing an audit trail independent of the application.
Salted one-way hashing: SHA-256 or SHA-3 with a cryptographically random salt renders PAN values into fixed-length digests that cannot be reversed. This approach is appropriate when the system only needs to verify a PAN (for example, checking if a card is already on file) rather than recover the original number. PCI DSS v4.0 Requirement 3.5.1.2 explicitly requires keyed cryptographic hashing (HMAC) as an option, providing an additional layer of protection where the hash output is tied to a secret key.
Truncation: Only a portion of the PAN is stored. Common practice is to retain the first six digits (Bank Identification Number) and the last four digits, masking the middle digits entirely. No cryptographic process is involved; the sensitive middle digits simply do not exist in the system.
Tokenization: The PAN is replaced with a surrogate value (a token) that maps back to the original PAN in a separate, tightly controlled token vault. The merchant system only ever sees the token. The token vault is isolated, and the mapping is protected by encryption and strict access controls. If an attacker compromises the merchant database, they recover tokens with no intrinsic payment value.
Key management is where most organizations struggle in practice. PCI DSS v4.0 Requirements 3.7.1 through 3.7.9 define the full key lifecycle: key generation using NIST-approved algorithms, secure distribution, secure storage (preferably in an HSM), access control with split knowledge and dual control for manual operations, key rotation at least annually (or when compromise is suspected), and documented retirement and destruction procedures.
Split knowledge means no single individual possesses an entire cryptographic key. Dual control means at least two people must be present and authenticated before a key operation is performed. These controls exist to prevent insider threats from extracting key material unilaterally.
The most common key management failure is storing encryption keys in the same system as the encrypted data. A web application that stores encrypted PANs in MySQL and stores the encryption key as an environment variable on the same server has not meaningfully protected the data. If an attacker compromises the server, they obtain both the encrypted data and the key to decrypt it. True protection requires that keys be stored in a separate system with independent access controls.
HSMs provide the gold standard for key protection. They are hardware appliances specifically designed to generate, store, and use encryption keys. FIPS 140-2 Level 3 and Level 4 HSMs include tamper-evident and tamper-resistant features: attempts to physically breach the device trigger automatic key deletion. Cloud HSM services from major providers (AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM) make HSM functionality available without requiring on-premises hardware investment.
Requirement 4 applies whenever PAN moves across open or public networks, including the internet, wireless networks, and mobile networks. TLS 1.2 is the current minimum; TLS 1.3 is preferred in v4.0 guidance. SSL and TLS 1.0 are explicitly prohibited. TLS 1.1 has been removed from acceptable configurations in v4.0.
A concrete implementation scenario: an e-commerce merchant accepts card numbers through a payment page. The web server must terminate TLS at a minimum version of 1.2 with a cipher suite that provides forward secrecy (ECDHE-based key exchange) and authenticated encryption (AES-GCM). Cipher suites using RC4, DES, 3DES (for new implementations), or anonymous key exchange are prohibited. The server certificate must be from a trusted Certificate Authority, and the configuration must be validated using a tool such as SSL Labs Server Test, with a result of at least grade A.
The practical challenge is that TLS configuration is notoriously difficult to get right and easy to misconfigure. Common failures include: allowing weak cipher suites for compatibility with legacy clients, failing to disable older TLS versions, using self-signed certificates in production, allowing certificate expiration, and implementing TLS at the load balancer but using unencrypted connections between the load balancer and application servers.
PCI DSS v4.0 introduces new requirements around certificate inventory and management (Requirement 4.2.1.1). Organizations must maintain an inventory of all trusted keys and certificates used to protect cardholder data in transmission, including certificate expiration dates and certificate issuers. This forces formal certificate lifecycle management rather than ad-hoc certificate deployment.
For organizations processing high volumes of transactions, certificate management at scale becomes a significant operational concern. Automated certificate management using protocols like ACME (Automatic Certificate Management Environment) and services like Let's Encrypt can prevent certificate expiration incidents that temporarily break PCI compliance and disrupt payment processing.
PCI DSS encryption requirements only apply to systems that store, process, or transmit cardholder data. Network segmentation is a critical architectural decision that determines how broadly encryption requirements apply. If cardholder data flows throughout an organization's network, the entire network falls under PCI scope, and encryption requirements apply broadly. If cardholder data is confined to a small, isolated network segment, encryption requirements apply only to that segment.
Effective segmentation requires multiple layers: network-level controls (firewalls, VLANs), host-level controls (iptables rules, Windows Firewall), and application-level controls (authentication, input validation). The segmentation must be validated through penetration testing that demonstrates an attacker on a non-CDE system cannot access CDE resources.
---
The business case for PCI DSS encryption is not abstract. In 2013, Target Corporation suffered a breach that exposed 40 million credit and debit card numbers. The attack vector was a third-party HVAC vendor with network access to the payment environment. Investigators found that cardholder data was captured in memory by malware on point-of-sale systems before encryption could be applied, a technique known as RAM scraping. The breach cost Target an estimated $202 million in settlements, fines, and remediation costs, and it triggered a wave of industry-level reform that accelerated adoption of chip-and-PIN and end-to-end encryption.
The critical lesson is not just that encryption failed, but that scope and architecture decisions determined where encryption applied and where it did not. PAN data was technically encrypted in storage but was exposed in memory during processing, which PCI DSS cannot fully prevent through Requirement 3 alone. This illustrates why scope reduction strategies (P2PE, tokenization) matter: they remove the PAN from the merchant environment entirely, so there is nothing for a RAM scraper to capture.
More recently, the 2019 Capital One breach exposed 100 million credit applications containing payment data. The breach occurred because a misconfigured web application firewall allowed an attacker to access AWS S3 buckets containing encrypted customer data. While the data was encrypted, the encryption keys were stored in the same AWS account that was compromised, allowing the attacker to decrypt the sensitive information. Capital One was fined $80 million by federal regulators and paid an additional $190 million in customer settlements.
A common misconception is that passing a PCI DSS audit means a system is secure. Compliance is a point-in-time assessment, not a continuous security guarantee. Organizations that achieve compliance and then allow configurations to drift, skip key rotation, or fail to patch TLS libraries may be technically non-compliant within weeks of an audit while carrying a current Report on Compliance (ROC).
A second misconception is that tokenization and encryption are equivalent alternatives. They solve different problems. Encryption protects data that must remain in the environment. Tokenization removes the sensitive data from the environment. The latter is operationally superior for scope reduction but requires a separate, highly secured token vault that becomes its own critical asset to protect.
Non-compliance with PCI DSS can result in fines from card brands ranging from $5,000 to $100,000 per month depending on merchant tier, increased transaction fees, mandatory forensic investigations at the merchant's expense, and ultimately the termination of card acceptance privileges. For many businesses, losing the ability to accept credit cards is an existential threat.
---
CDA approaches PCI DSS encryption requirements through the Planetary Defense Model (PDM) under the Data Protection and Sovereignty (DPS) domain, with methodology grounded in the Sovereign Data Protocol (SDP): your data lives where you decide. Period.
Most organizations treat PCI DSS as a compliance exercise. They implement AES-256 because the QSA checklist requires it, rotate keys annually because the calendar says to, and stop there. The SDP methodology goes further: it demands that organizations make intentional architectural decisions about where cardholder data exists, under what conditions, and with what controls, rather than inheriting those decisions from default infrastructure configurations.
In CDA's operational framework, the first step before any encryption implementation is data flow mapping with disposition intent. Before configuring TLS or deploying an HSM, an organization should be able to answer: which systems touch PAN, under what processing conditions, for how long, and who controls the keys? Key control is sovereignty. If an organization's encryption keys are managed by a cloud provider's default key management service with shared administrative access, the organization does not actually control its cardholder data. CDA's SDP methodology requires that key management be a deliberate, documented decision with verifiable access controls, not a default configuration accepted at provisioning time.
CDA also treats scope reduction as a security architecture decision, not merely a compliance cost-reduction strategy. Deploying validated P2PE removes PAN from merchant systems entirely, which is a fundamentally different risk posture than encrypting PAN in a system the organization continues to operate and defend. Under the Planetary Defense Model, the preferred outcome is that sensitive data does not exist in environments where it does not need to exist. Encryption is the control of last resort when data must remain; tokenization and P2PE are the controls of first choice when architectural options exist.
Finally, CDA emphasizes that key lifecycle management requires operational rehearsal, not just documented procedures. Organizations should periodically test key rotation, key destruction, and key recovery processes in non-production environments so that when a key compromise is suspected, the response is a practiced procedure rather than a crisis improvisation. The RGA (Risk Governance and Assurance) domain intersects with DPS here: governance frameworks must validate that cryptographic controls are not just implemented but operationally sustainable.
---
---
---
CDA Theater missions that address topics covered in this article.
COBIT 2019 is ISACA's IT governance framework with 40 objectives across five domains, featuring a flexible design factor system that aligns IT strategy with business goals and maps to standards like NIST CSF and ISO 27001.
CMMC 2.0 requires defense contractors to demonstrate cybersecurity maturity at three levels.
HITRUST CSF harmonizes multiple frameworks into one certifiable standard for healthcare.
Written by CDA Editorial
Found an issue? Help improve this article.