Preparing for PCI DSS 4.0.1: New Data Storage Requirements Coming for Requirement 3 in 2025

As the payment industry evolves to combat emerging threats, PCI DSS 4.0.1 introduces new requirements under Requirement 3: Protect Stored Account Data. Effective March 31, 2025, these updates emphasize stronger cryptographic protections, stricter data retention policies, and better control over stored payment data. Organizations must adopt these practices to remain compliant and secure sensitive cardholder data effectively. This is part 2 of the Understanding the New PCI DSS v4.x Compliance Requirements series.

Let’s explore the significant changes and their implications.

Key Updates to Requirement 3

1. Storage of Account Data is Minimized (Requirement 3.2.1)

The new bullet was added to include coverage of any sensitive authentication data (SAD) stored before the completion of authorization. Key elements include:

• Retention Policies: Identify what data must be retained and for how long, and securely delete data once it’s no longer necessary.
• Storage Limitations: After transaction authorization, only PAN (rendered unreadable), expiration date, cardholder name, and service code may be stored. Sensitive Authentication Data (SAD), like CVV codes or PINs, must not be retained.

Good Practices:

• Regularly audit all storage locations, including backups, removable devices, and even audio recordings.
• Automate the secure deletion of account data after its retention limit.

2. Encryption for Electronically Stored SAD (Requirement 3.3.2)

Organizations must encrypt any electronically stored SAD before authorization is completed. This protects data from malicious actors who could use it to create counterfeit cards or initiate fraudulent transactions.

Good Practices:

• Use a separate cryptographic key for encrypting SAD than the one used for PAN.
• Monitor and restrict access to encryption keys to ensure compliance with broader cryptographic policies.

3. Expanded Control over PAN Relocation (Requirement 3.4.2)

With remote-access technologies becoming prevalent, controls must now prevent unauthorized copying or relocation of PAN. Access is limited to personnel with documented, explicit authorization for defined business purposes.

4. Strengthened Keyed Cryptographic Hashing (Requirement 3.5.1.1)

Hashes used to render PAN unreadable must now comply with keyed cryptographic standards. These keyed hashes resist brute-force attacks and ensure data integrity.

Good Practices:

• Use randomly generated secret keys for hashing.
• Maintain strong key-management processes, ensuring keys are stored and managed securely.

5. Limits on Disk-Level Encryption for PAN (Requirement 3.5.1.2)

Disk-level encryption alone is insufficient for securing PAN. It must be supplemented with another mechanism that renders PAN unreadable if used.

6. Cryptographic Architecture Documentation (Requirement 3.6.1.1)

For service providers, maintaining detailed documentation of the cryptographic architecture is now mandatory. This includes:

• Algorithms, key strengths, and expiry dates.
• An inventory of hardware security modules (HSMs) and key management systems (KMS).
• Controls to prevent using the same cryptographic keys in test and production environments.

The Purpose of These Changes

The updates under Requirement 3 reflect a proactive approach to mitigating risks associated with stored account data. Encryption, hashing, and controlled access to sensitive data create a layered defense, minimizing the likelihood of unauthorized access or misuse.

How to Prepare for Compliance

1. Audit Stored Data: Identify all PAN, SAD, and other sensitive data storage locations.
2. Review Cryptographic Protocols: Evaluate encryption methods and key management systems to ensure they meet updated standards.
3. Implement Automated Retention Policies: Use technology to delete data that exceeds its retention period automatically.
4. Enhance Access Controls: Ensure only authorized personnel can handle sensitive data, especially in remote-access scenarios.
5. Train Staff: Educate employees on new requirements and security practices.

Conclusion

Compliance with PCI DSS 4.0.1 is about meeting regulatory standards and ensuring your organization stays ahead of evolving threats. The new updates to Requirement 3 emphasize minimizing stored data, enhancing encryption, and implementing robust cryptographic processes. By adopting these measures now, businesses can ensure they are ready for the 2025 deadline.

This is part 1 of a series that discusses the new requirements going into effect in 2025; come back next week for part 2. This is part 1 of a series that discusses the new requirements going into effect in 2025; come back next week for part 2. If you want to understand the new PCI DSS v4.x requirements that are in effect now, check out this post.

For a detailed understanding of PCI DSS compliance and best practices, check out my book, Fortifying The Digital Castle: A Strategic Guide to PCI DSS Compliance and Cyber Defense.

Stay secure, and start preparing today!