top of page
3.5.3 PCI DSS (v3.2.1)
Compliance Standard
Compliance Version
Control ID
PCI DSS
(v3.2.1)
3.5.3
Requirement 3: Protect stored cardholder data
(v3.2.1)
Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device)
• As at least two full-length key components or key shares, in accordance with an industry-accepted method
Note: It is not required that public keys be stored in one of these forms.
bottom of page