top of page
< Back

3.5.3 PCI DSS (v3.2.1)

Compliance Standard

Compliance Version

Control ID




Requirement 3: Protect stored cardholder data


Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device)
• As at least two full-length key components or key shares, in accordance with an industry-accepted method

Note: It is not required that public keys be stored in one of these forms.

bottom of page