{"id":173,"date":"2022-08-18T18:32:19","date_gmt":"2022-08-18T16:32:19","guid":{"rendered":"https:\/\/pcihispano.org\/?p=173"},"modified":"2026-05-06T19:17:14","modified_gmt":"2026-05-06T17:17:14","slug":"analisis-de-pci-dss-v4-0-parte-iii-requerimientos-3-y-4","status":"publish","type":"post","link":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iii-requerimientos-3-y-4\/","title":{"rendered":"Analysis of PCI DSS v4.0 \u2013 Part III: Requirements 3 and 4"},"content":{"rendered":"<p><span class=\"intro-text\">Continuing with the <a href=\"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/\">analysis to version 4.0 of the PCI DSS standard<\/a>, this third part of the series will analyse requirements 3 and 4 that are part of the group \u201c<em>Protect Account Data<\/em>\u201d, aimed at protecting the confidentiality and integrity of payment card data during storage and transmission over open and public networks.<\/span><\/p>\n<div class=\"su-box su-box-style-glass\" id=\"\" style=\"border-color:#000000;border-radius:5px;max-width:none\"><div class=\"su-box-title\" style=\"background-color:#333333;color:#FFFFFF;border-top-left-radius:3px;border-top-right-radius:3px\">Analysis of PCI DSS v4.0<\/div><div class=\"su-box-content su-u-clearfix su-u-trim\" style=\"border-bottom-left-radius:3px;border-bottom-right-radius:3px\">\n<p>All articles in the series <a href=\"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/\" target=\"_blank\" rel=\"noopener\">Analysis of PCI DSS v4.0<\/a>:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-1-introduccion\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part I: Introduction<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-ii-requerimientos-1-y-2\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part II: Requirements 1 and 2<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iii-requerimientos-3-y-4\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part III: Requirements 3 and 4<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iv-requerimientos-5-y-6\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part IV: Requirements 5 and 6<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-v-requerimientos-7-8-y-9\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part V: Requirements 7, 8 and 9<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 Part VI: Requirements 10 and 11<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vii-requerimiento-12\/\" target=\"_blank\" rel=\"noopener\">Analysis of PCI DSS v4.0 \u2013 Part VII: Requirement 12<\/a><\/li>\n<\/ul>\n<\/div><\/div>\n<p>Like most PCI DSS 4.0 requirements, requirements 3 and 4 were renamed to extend their scope, as well as to align these controls with the applicability of the standard, as specified in section 2 \u2018PCI DSS Applicability Information\u2019: <em>PCI DSS requirements apply to entities with environments in which account data is stored, processed, or transmitted (<u>cardholder data and\/or sensitive authentication data<\/u>), and entities with environments that may affect CDE security <\/em>(<em>PCI DSS requirements apply to entities with environments where account data (cardholder data and\/or sensitive authentication data) is stored, processed, or measured, and entities with that environments can impact the security of the CDE<\/em>).<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-216\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Group2.png?resize=900%2C175&#038;ssl=1\" alt=\"\" width=\"900\" height=\"175\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group2.png?w=1251&amp;ssl=1 1251w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group2.png?resize=300%2C58&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group2.png?resize=1024%2C199&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group2.png?resize=768%2C149&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group2.png?resize=500%2C97&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>While in version 3.2.1 of the PCI DSS standard the names of the group and requirements 3 and 4 mentioned only the protection of cardholder data (<em>Cardholder Data<\/em>), in version 4.0 this term is extended not only to cardholder data, but also to confidential authentication data (<em>Sensitive Authentication Data<\/em>), in accordance with the definitions of these concepts included in the standard:<\/p>\n<div id=\"attachment_210\" style=\"width: 974px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-210\" class=\"size-full wp-image-210\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/account_data_pcidss.png?resize=900%2C211&#038;ssl=1\" alt=\"\" width=\"900\" height=\"211\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/account_data_pcidss.png?w=964&amp;ssl=1 964w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/account_data_pcidss.png?resize=300%2C70&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/account_data_pcidss.png?resize=768%2C180&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/account_data_pcidss.png?resize=500%2C117&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-210\" class=\"wp-caption-text\">Components of the \"Account Data\" concept in PCI DSS<\/p><\/div>\n<h2>Requirement 3: <em>Protect Stored Account Data<\/em><\/h2>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-217\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Req3.png?resize=900%2C78&#038;ssl=1\" alt=\"\" width=\"900\" height=\"78\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req3.png?w=1255&amp;ssl=1 1255w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req3.png?resize=300%2C26&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req3.png?resize=1024%2C89&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req3.png?resize=768%2C67&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req3.png?resize=500%2C43&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>As in previous versions of the PCI DSS standard, this requirement is focused on protecting card data during storage.<\/p>\n<p>Although this requirement has always included specific controls aimed at protecting the complete data of the magnetic stripe, the PIN\/PIN Block and the verification code of the card (<em>Card Verification Code<\/em>), the name of the request (<em>Protect Stored <u>Cardholder Data<\/u><\/em>) only referred to the cardholder's details (<em>Cardholder Data<\/em>), which added a certain point of inconsistency between the controls contained in this requirement and the name of the requirement itself, by not including confidential authentication data (<em>Sensitive Authentication Data<\/em>) explicitly. \u00a0In version 4.0 of the PCI DSS standard, this has been solved and now the name of the requirement (<em>Protect Stored <u>Account Data<\/u><\/em>) is aligned with the types of data it protects (cardholder data (<em>Cardholder Data<\/em>) and confidential authentication data (<em>Sensitive Authentication Data<\/em>), as part of the account data (<em>Account Data<\/em>)).<\/p>\n<p>Some of the most significant changes to this requirement are:<\/p>\n<h3>Clarification of card storage types<\/h3>\n<p>In version 4.0, a series of clarifications have been added to this requirement that have been waiting for a long time. In the first instance, <span class=\"highlight\">there is an explicit separation of the <strong>card data storage types<\/strong>, including restrictions and applicability of controls for each<\/span>:<\/p>\n<ul>\n<li><strong>Persistent storage<\/strong> (<em>persistent storage<\/em>) or non-volatile: This type of storage is applied when the card data is retained after the completion of its business purpose (for example, an associated transaction). Within this type of storage is intentional or unintentional storage on storage media such as hard drives, backup drives, removable storage media, etc. in the form of event log files (<em>logs<\/em>), historical archives (<em>history files<\/em>), traceability files (<em>trace files<\/em>), contents of databases, memory\/crash dump files, etc.For this type of storage, <u>all checks of requirement 3 are applicable<\/u>.<\/li>\n<li><strong>Non-persistent storage <\/strong>(<em>non-persistent storage<\/em>) or volatile: This type of temporary storage is used when the card data is processed during its business purpose only. Within this type of storage is RAM and other types of volatile memory, where information is lost when the electrical flow is interrupted. For this type of storage, <u>the data must be removed as soon as its commercial purpose has been finalised<\/u>. However, <u>Additional controls such as data encryption are not required<\/u> as long as the data is not moved to persistent storage, as specified in the <a href=\"https:\/\/pcissc.secure.force.com\/faq\/articles\/Frequently_Asked_Question\/Should-cardholder-data-be-encrypted-while-in-memory\">FAQ 1042<\/a>.<\/li>\n<\/ul>\n<div id=\"attachment_218\" style=\"width: 1173px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-218\" class=\"wp-image-218\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/storage_pcidss.png?resize=900%2C498&#038;ssl=1\" alt=\"\" width=\"900\" height=\"498\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/storage_pcidss.png?w=1396&amp;ssl=1 1396w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/storage_pcidss.png?resize=300%2C166&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/storage_pcidss.png?resize=1024%2C566&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/storage_pcidss.png?resize=768%2C425&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/storage_pcidss.png?resize=500%2C277&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-218\" class=\"wp-caption-text\">Applicability of PCI DSS depending on storage medium<\/p><\/div>\n<h3>Controls for the protection of confidential authentication data<\/h3>\n<p>On the other hand, additional clarifications and controls have been added for the protection of confidential authentication data (<em>Sensitive Authentication Data<\/em>) stored prior to the completion of the authorisation process, including:<\/p>\n<ul>\n<li>Inclusion in the retention and secure deletion policy, to limit the storage of this data to the minimum necessary (req. 3.2.1),<\/li>\n<li>Encryption of this data using robust cryptography, even if PAN data is not present in the environment (req. 3.3.2 and 3.3.3).<\/li>\n<\/ul>\n<p>These controls shall enter into force from <u>31 March 2025<\/u>.<\/p>\n<h3>Masking and 8-digit BIN controls<\/h3>\n<p>Probably one of the controls that generated the most expectation in this new version of the PCI DSS standard was the control related to the masking of the PAN data during its visualization, given the continuous changes in the criteria of the payment marks related to the entry into force of the BIN \/ IIN of eight (8) digits. In this regard \u2013 and in order not to conflict with payment marks \u2013 the standard maintained its neutral position by clarifying that, when the NAP is displayed, only the BIN\/IIN (outside its length) and the last four digits can be displayed. If the display of additional digits is required, it is necessary to maintain a list of roles with this privilege, as well as their business justification.<\/p>\n<p>This control is aligned with the <a href=\"https:\/\/pcissc.secure.force.com\/faq\/articles\/Frequently_Asked_Question\/How-can-an-entity-meet-PCI-DSS-requirements-for-PAN-masking-and-truncation-if-it-has-migrated-to-8-digit-BINs\">FAQ 1492<\/a> February 2021.<\/p>\n<h3>PAN copy\/relocation when using remote access technologies<\/h3>\n<p>In PCI DSS v.3.2.1, control 12.3.10 prohibited the copying, relocation and storage of card data on local hard drives and removable storage media when accessing this data through remote access technologies, unless there was an authorized business need. This control has been moved from requirement 12 to requirement 3 in PCI DSS v4.0, clarifying that its applicability is only to the PAN data.<\/p>\n<p>This control shall enter into force from <u>31 March 2025<\/u>.<\/p>\n<h3>Safe PAN storage<\/h3>\n<p>One of the star controls of PCI DSS is the control where the authorized methods for the storage of PAN data are identified. Although these methods have not changed between version 3.2.1 (req. 3.4) and version 4.0 (req. 3.5.1), several clarifications have been added:<\/p>\n<ul>\n<li>If you make use of a <strong>hash<\/strong>, <u>the function should be applied to the entire NAP using robust cryptography <\/u>(Req. 3.5.1.1). Likewise, the use of a simple hash function will no longer be allowed. As of 31 March 2025, cryptographic hash algorithms with a key (<em>keyed cryptographic hashing algorithms<\/em>) such as HMAC, CMAC or GMAC. Obviously, such a key will have to meet the requirements of cryptographic key management (reqs. 3.6 and 3.7).<\/li>\n<li>If the <strong>truncation<\/strong>, <u>a hash cannot be used to replace the truncated part of the PAN<\/u>. Additionally, if in the same environment there are truncated and hash versions of the same PAN or different truncation formats of the same PAN based on the criteria of the payment marks (<a href=\"https:\/\/pcissc.secure.force.com\/faq\/articles\/Frequently_Asked_Question\/What-are-acceptable-formats-for-truncation-of-primary-account-numbers\">FAQ 1091<\/a>), additional controls should be applied (<a href=\"https:\/\/pcissc.secure.force.com\/faq\/articles\/Frequently_Asked_Question\/How-can-an-entity-ensure-that-hashed-and-truncated-versions-cannot-be-correlated-as-required-in-PCI-DSS-Requirement-3-4\">FAQ 2014<\/a>).<\/li>\n<li>If used <strong>encryption<\/strong>, <u>key management controls should be taken into account and robust cryptography should be used<\/u>.<\/li>\n<li>If tokenization is used (<em>index tokens<\/em>), the use of the criteria described in the document is recommended <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Tokenization_Product_Security_Guidelines.pdf\"><em>Tokenization Product Security Guidelines<\/em><\/a> the PCI SSC and Standard <em>ANSI X9.119-2-2017: Retail Financial Services \u2013 Requirements For Protection Of Sensitive Payment Card Data \u2013 Part 2: Implementing Post-Authorization Tokenization Systems.<\/em><\/li>\n<\/ul>\n<h3>Using disk-level or partition-level encryption<\/h3>\n<p>Another control that had problems in its interpretation was the control related to the use of disk-level or partition-level encryption. By using this mechanism, the data is encrypted during storage, but is automatically decrypted once the system runs or after a correct authentication of a user, so its effectiveness is valid only while the storage medium is offline (<em>offline<\/em>) protecting the entity if the medium is removed physically in an unauthorised manner.<\/p>\n<div id=\"attachment_220\" style=\"width: 1067px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-220\" class=\"size-full wp-image-220\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/TDE.png?resize=900%2C563&#038;ssl=1\" alt=\"\" width=\"900\" height=\"563\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/TDE.png?w=1057&amp;ssl=1 1057w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/TDE.png?resize=300%2C188&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/TDE.png?resize=1024%2C640&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/TDE.png?resize=768%2C480&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/TDE.png?resize=500%2C313&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-220\" class=\"wp-caption-text\">Transparent data encryption (TDE)<\/p><\/div>\n<p>Although it was well known that the use of this type of encryption is only applicable when the PAN is stored in a removable electronic medium, since this restriction was not explicit in control 3.4.1 of PCI DSS v3.2.1, many entities used this mechanism for the protection of the PAN when it was stored in databases without any other additional control (<em>Transparent Data Encryption<\/em> \u2013 TDE is a good example of this), being exposed to unnecessary risk.<\/p>\n<p>To avoid this ambiguity in the interpretation of the control, in version 4.0 the requirement 3.5.1.2 clarifies that the use of disk or partition level encryption can only be applied on removable storage media or, if used on other media (including server hard drives, hot swappable drives (<em>hot-swappable drives<\/em>), bulk tape-backups, etc., must be made use of an additional protection mechanism included in control 3.5.1 (hash, encryption, truncation or tokenization).<\/p>\n<h3>Improvements in encryption key management processes<\/h3>\n<p>Finally, cryptographic key management controls (req. 3.6 and 3.7) have been updated to include cryptographic services in the cloud, avoiding the use of the same cryptographic key in production and testing environments (req. 3.6.1.1, applicable only to service providers and as of 31 March 2025), use of approved random number generators within a secure cryptographic device (<em>Secure Cryptographic Device<\/em> \u2013 SCD) or other standards (such as ISO 19592) for the generation of keys or key components (req. 3.6.1.2 and 3.7.6) and additional responsibilities in the event that a service provider shares encryption keys with its customers (req. 3.7.9).<\/p>\n<h2>Requirement 4: <em>Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks<\/em><\/h2>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-221\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Req4.png?resize=900%2C91&#038;ssl=1\" alt=\"\" width=\"900\" height=\"91\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req4.png?w=1257&amp;ssl=1 1257w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req4.png?resize=300%2C30&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req4.png?resize=1024%2C103&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req4.png?resize=768%2C78&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req4.png?resize=500%2C51&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>For PCI DSS version 4.0, requirement 4 was simplified and several clarifications were added regarding the use of robust cryptography, mainly to avoid situations such as the obsolescence of SSL and the use of early versions of TLS in the future. Likewise, many concepts were incorporated that had already been discussed in the <a href=\"https:\/\/www.pcisecuritystandards.org\/pdfs\/best_practices_securing_ecommerce.pdf\"><em>Information Supplement \u2013 Best Practices for Securing E-commerce<\/em><\/a>, especially those related to the management of digital certificates.<\/p>\n<p>In this sense, the following were the main changes in this requirement:<\/p>\n<ul>\n<li>Its applicability is limited exclusively to the transmission of the NAP on open public networks, within which are Internet, wireless technologies (Wi-FI and Bluetooth), mobile communications technologies (cellular) and satellite. According to this, <u>PAN encryption during transmission within internal networks is not mandatory<\/u>, but it is good practice.<\/li>\n<li>In the event that the PAN is transmitted over open public networks, it can be protected by encrypting this data before it is transmitted, encrypting the session over which the data is transmitted or both.<\/li>\n<\/ul>\n<div id=\"attachment_222\" style=\"width: 1173px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-222\" class=\"wp-image-222\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/encryption_data_channel.png?resize=900%2C425&#038;ssl=1\" alt=\"\" width=\"900\" height=\"425\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/encryption_data_channel.png?w=1464&amp;ssl=1 1464w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/encryption_data_channel.png?resize=300%2C142&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/encryption_data_channel.png?resize=1024%2C483&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/encryption_data_channel.png?resize=768%2C362&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/encryption_data_channel.png?resize=500%2C236&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-222\" class=\"wp-caption-text\">Using Data Encryption and Channel Encryption in PCI DSS<\/p><\/div>\n<p>Depending on the option implemented, the following should be taken into account:<\/p>\n<ul>\n<li>If data is encrypted prior to transmission, the keys used for this purpose shall be covered by controls 3.6 and 3.7.<\/li>\n<li>If channel encryption is used, it must be validated that:\n<ul>\n<li>If certificates are used, they must be reliable and must not be expired or revoked (this control will take effect from <u>31 March 2025).<\/u><\/li>\n<li>If self-signed certificates are used, they will be valid if they are issued by a certification body (<em>Certificate Authority<\/em>) internal, if the author of the certificate is confirmed and if the certificate is verified and not expired.<\/li>\n<li>The protocols used must only support secure versions.<\/li>\n<li>The strength of the cryptography employed should be appropriate to the encryption methodology in use.<\/li>\n<li>A list of the keys and certificates used to protect the PAN during its transmission must be maintained (this control will take effect from <u>31 March 2025).<\/u><\/li>\n<\/ul>\n<\/li>\n<li>In the event that the organization may receive unsolicited payment card data through insecure communication channels, there are two options to protect it:\n<ul>\n<li>Include the affected channel within the CDE and protect it according to standard controls; or<\/li>\n<li>Implement measures to prevent that channel from being used for card data transmission.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Other controls, such as transmitting the PAN over wireless networks or using end-user messaging technologies, remain valid as long as robust cryptography is used for this.<\/p>\n<p>The following article in this series will discuss requirements 4 and 5 of PCI DSS, aimed at protection against malicious code, security updates, change management and secure development.<\/p>\n<h2>References<\/h2>\n<ul>\n<li>Information Supplement \u2013 Best Practices for Securing E-commerce <a href=\"https:\/\/www.pcisecuritystandards.org\/pdfs\/best_practices_securing_ecommerce.pdf\">https:\/\/www.pcisecuritystandards.org\/pdfs\/best_practices_securing_ecommerce.pdf<\/a><\/li>\n<li>Use of SSL\/Early TLS and Impact on ASV Scans <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Use-of-SSL-Early-TLS-and-ASV-Scans.pdf\">https:\/\/www.pcisecuritystandards.org\/documents\/Use-of-SSL-Early-TLS-and-ASV-Scans.pdf<\/a><\/li>\n<li>Use of SSL\/Early TLS for POS POI Terminal <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Use-of-SSL-Early-TLS-for-POS-POI-Connections.pdf\">https:\/\/www.pcisecuritystandards.org\/documents\/Use-of-SSL-Early-TLS-for-POS-POI-Connections.pdf<\/a><\/li>\n<li>Tokenization Product Security Guidelines <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Tokenization_Product_Security_Guidelines.pdf\">https:\/\/www.pcisecuritystandards.org\/documents\/Tokenization_Product_Security_Guidelines.pdf<\/a><\/li>\n<li>PCI DSS Wireless Guidelines <a href=\"https:\/\/www.pcisecuritystandards.org\/pdfs\/PCI_DSS_v2_Wireless_Guidelines.pdf\">https:\/\/www.pcisecuritystandards.org\/pdfs\/PCI_DSS_v2_Wireless_Guidelines.pdf<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Continuing with the analysis to version 4.0 of the PCI DSS standard, in this third part of the series the requirements 3 and 4 that are part of the \u2018Protect Account Data\u2019 group, focused on the protection of the [\u2026] will be analyzed.<\/p>","protected":false},"author":2,"featured_media":174,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[7,354],"tags":[8,209,16,17,18,19,20,21,22],"class_list":["post-173","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pci-dss-4-0","category-pcidss","tag-4-0","tag-almacenamiento","tag-certificado","tag-cifrado","tag-enmascaramiento","tag-hash","tag-tokenizacion","tag-transmision","tag-truncamiento"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1920%2C1080&ssl=1","jetpack-related-posts":[{"id":98,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-1-introduccion\/","url_meta":{"origin":173,"position":0},"title":"An\u00e1lisis de PCI DSS v4.0 &#8211; Parte I: Introducci\u00f3n","author":"David Acosta","date":"agosto 17, 2022","format":false,"excerpt":"En esta primera parte de esta serie \"An\u00e1lisis de PCI DSS v4.0\" se analizar\u00e1 la historia detr\u00e1s de la versi\u00f3n 4.0 del est\u00e1ndar, las variables que influyeron en su cambio y el proceso de revisi\u00f3n y publicaci\u00f3n asociado. A continuaci\u00f3n, en entregas subsiguientes, se realizar\u00e1 una revisi\u00f3n a los cambios\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":477,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vii-requerimiento-12\/","url_meta":{"origin":173,"position":1},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte VII: Requerimiento 12","author":"David Acosta","date":"noviembre 17, 2022","format":false,"excerpt":"En este pen\u00faltimo art\u00edculo de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se presenta un an\u00e1lisis a los cambios del requerimiento 12 - parte del grupo 6 \u201cMaintain an Information Security Policy\u201d- en la versi\u00f3n 4.0 del est\u00e1ndar PCI DSS. Requerimiento 12: Support Information Security with Organizational Policies and Programs\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":391,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11\/","url_meta":{"origin":173,"position":2},"title":"An\u00e1lisis de PCI DSS v4.0 Parte VI: Requerimientos 10 y 11","author":"David Acosta","date":"septiembre 15, 2022","format":false,"excerpt":"En esta sexta entrega de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se analizar\u00e1n los requerimientos 10 y 11 del est\u00e1ndar PCI DSS v4.0. Estos requerimientos hacen parte del grupo 5. Regularly Monitor and Test Networks, que continua con el mismo nombre de la versi\u00f3n 3.2.1 del est\u00e1ndar. El objetivo\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":157,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-ii-requerimientos-1-y-2\/","url_meta":{"origin":173,"position":3},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte II: Requerimientos 1 y 2","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta segunda parte de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se realizar\u00e1 una revisi\u00f3n a los requerimientos 1 y 2 del est\u00e1ndar, que hacen parte del grupo \u201cBuild and Maintain a Secure Network and Systems\u201d, orientados al control del tr\u00e1fico de red entrante y saliente del entorno y\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":176,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iv-requerimientos-5-y-6\/","url_meta":{"origin":173,"position":4},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte IV: Requerimientos 5 y 6","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta cuarta entrega de la serie \u201cAn\u00e1lisis de PCI DSS 4.0\u201d se presenta una revisi\u00f3n a los cambios en los requerimientos 5 y 6 del est\u00e1ndar PCI DSS ocurridos entre las versiones 3.2.1 y 4.0. Estos dos requerimientos est\u00e1n enfocados a la protecci\u00f3n a nivel de software para prevenir,\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":179,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-v-requerimientos-7-8-y-9\/","url_meta":{"origin":173,"position":5},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte V: Requerimientos 7, 8 y 9","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta quinta entrega de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se analizar\u00e1n los cambios aplicados a los requerimientos 7, 8 y 9 del est\u00e1ndar en su nueva versi\u00f3n (4.0). Estos requerimientos \u2013 que hacen parte del grupo 4 \u201cImplement Strong Access Control Measures\u201d \u2013 est\u00e1n orientados hacia la\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/173","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/comments?post=173"}],"version-history":[{"count":1,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/173\/revisions"}],"predecessor-version":[{"id":11750,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/173\/revisions\/11750"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media\/174"}],"wp:attachment":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media?parent=173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/categories?post=173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/tags?post=173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}