PCI-DSS Requirement 3 — Protect Stored Account Data
Enforced by: PCI SSC
Current as of March 31, 2022
Plain Language Summary
CVV/CVC codes must NEVER be stored after authorization. PAN must be stored encrypted or truncated. Best strategy: tokenize and don't store card data at all.
Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. The primary account number (PAN) must be unreadable anywhere it is stored. Sensitive authentication data including the full magnetic stripe, CAV2/CVC2/CVV2/CID code, and PIN/PIN block must not be stored after authorization, even if encrypted. Requirement 3.4: PANs must be rendered unreadable anywhere they are stored using strong cryptography, index tokens, or truncation.