Logo Information Technology

Department
Policy Document

Data Encryption Policy

Version 3.0
< Date>

History Log
Version Date Author
Draft Version 3.0 Aug 2014 ControlCase

Data Encryption Policy Page 1

 Logo Information Technology
Department
Policy Document

Contents
1. Purpose....................................................................................................................................................3
2. Scope.......................................................................................................................................................3
3. Policy...................................................................................................................................................3

Data Encryption Policy Page 2

 Logo Information Technology
Department
Policy Document

1. Purpose

The purpose of this policy is to ensure protection of <NAME OF THE ORGANIZATION>’s

cardholder data at storage and in transit with industry accepted encryption standard.

2. Scope

This policy document addresses < NAME OF THE ORGANIZATION > data encryption and key
management requirements for cardholder data (i.e. PAN, Track Data, CVV, PIN etc) in
Cardholder Data Environment (CDE) in transit and at storage.

3. Policy
3.1 Render PAN, at minimum, unreadable anywhere it is stored (including data on portable
digital media, backup media, in logs, and data received from or stored by wireless
networks) by using any of the following approaches:
a) Strong one-way hash functions (hashed indexes)
b) Truncation
c) Index tokens and pads (pads must be securely stored)
d) Strong cryptography with associated key management processes and procedures
(PCI DSS 3.0 Reference – Requirement 3.4.a).

3.2 Encryption of card data shall be carried out using Symmetric Key Encryption: AES 256 bits, or
3DES with associated Key management procedures Asymmetric Key Encryption: RSA 2048 Bits,
Deffie Hellman 2048 Bits, El Gamal 2048 Bits

3.3 The MINIMUM account information that must be rendered unreadable is the PAN.

3.4 Cardholder data on removable media shall be encrypted wherever stored.

3.5 If Disk encryption is used for encrypting the data then logical access must be managed
separately and independently of native operating system authentication and access control

Data Encryption Policy Page 3

 Logo Information Technology
Department
Policy Document
mechanisms (for example, by not using local user account databases or general network login
credentials). Decryption keys must not be associated with user accounts.

3.6 No PAN data shall be sent via end-user messaging technologies for example e-mail, instant
messaging, and chat. If with business requirement PAN data required to be sent over email then
it must be encrypted with strong encryption algorithm to ensure secure communication (PCI
DSS 3.0 Reference – Requirement 4.2.b) If PAN data is not allowed to send via messaging
technologies then delete the point related to use of email data encryption with strong
encryption algorithm.

3.7 Any cardholder data transmission over public networks (e.g. Internet, wireless, Cellular
technology – GSM & CDMA, GPRS, Satellite communication) must be encrypted using strong
cryptography and security protocol (e.g. IPSEC VPN, SSL, SSH, etc.) to safeguard data during
transmission. Also following needs to be considered in such case: (PCI DSS 3.0 Reference –
Requirement 4.1.a, 4.1.b)

 Only trusted keys and certificates are accepted.

 The protocol in use only supports secure versions or configurations e.g. SSL v3.
 The encryption strength is appropriate for the encryption methodology in use e.g.
AES256, RSA 2048, 3DES.

3.8 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to
be displayed). Note: This requirement does not apply to employees and other parties with a
specific / legitimate need to see the full PAN (PCI DSS Requirement 3.3 a).

3.9 Encryption Keys shall be stored in a location separate from the encrypted data (PCI DSS 3.0
Reference Requirement 3.5).

3.10 Store keys securely in the fewest possible locations and forms (PCI DSS 3.0 Reference –
Requirement 3.5).

3.11 Cryptographic keys used to encrypt/decrypt cardholder data must only exist in one (or more) of
the following forms at all times (PCI DSS 3.0 Reference – Requirement 3.5 3.5.2 a). Please
document the procedures for each of the bullet point listed here as per actual implementation
of encryption mechanism in environment).

Data Encryption Policy Page 4

 Logo Information Technology
Department
Policy Document
 Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key,
and that is stored separately from the data-encrypting key.
 Within a secure cryptographic device (such as a host security module (HSM) or PTS-
approved point-of-interaction device).
 As key components or key shares, in accordance with an industry-accepted method.

3.12 Encryption keys used for encryption of cardholder data shall be protected against both
disclosure and misuse by ( PCI DSS 3.0 Reference - Requirement 3.5):

 Restricting access to keys to the fewest number of custodians necessary

 Secure storage of keys in the fewest possible locations and forms

3.13 Key management processes and procedures for keys used for encryption of cardholder data
shall be documented and implemented for (PCI DSS 3.0 Reference - Requirement
3.6.1,3.6.2,3.6.3,3.6.7 a) (Pls document the procedures for key generation, storage, distribution
and each of the bullet point listed here as per actual implementation of encryption mechanism
in environment):

 Generation of strong keys

 Secure key distribution
 Secure key storage
 Periodic key changes
- as per crypto period of encryption algorithm
- In case of suspicion of key compromise or when person with knowledge of key
leaving the job
 Destruction of old keys.
 Split knowledge and establishment of dual control of keys (so that it requires two or
three people, each knowing only their part of the key, to reconstruct the whole key
 Prevention of unauthorized substitution of keys
 Replacement of known or suspected compromised keys
 Revocation of old or invalid keys (For RSA Keys only)

3.14 Encryption keys shall be changed or retired (PCI DSS 3.0 Reference - Requirement 3.6.4.a ,
3.6.5.a) :
 as per defined crypto period of encryption algorithm
 In case of suspicion of key compromise or when person with knowledge of key leaving
the job
 When the integrity of the key has been weakened.

3.15 Any keys retained after retiring or replacing are not used for encryption operations (PCI DSS 3.0
Reference – Requirement 3.6.5.a).

Data Encryption Policy Page 5

 Logo Information Technology
Department
Policy Document

3.16 If manual clear-text cryptographic key-management operations are used, then use of split
knowledge and dual control shall be followed to ensure that two people are required to
perform any key-management operations and no one person has access to the authentication
materials of another (PCI DSS 3.0 Reference – Requirement 3.6.6.a)

3.17 Requirement for key custodians to sign a form stating that they understand and accept their
key-custodian responsibilities (PCI DSS 3.0 Reference – Requirement 3.6.8.a)

Data Encryption Policy Page 6

 Logo Information Technology
Department
Policy Document
The <Name the responsible area> is the owner of this document and is responsible for ensuring that this
policy document is reviewed in line with the review requirements stated above.

A current version of this document is available to all members of staff.

This policy was approved by the TITLE and is issued on a version controlled basis under his/her signature

Signature: Date:

Data Encryption Policy Page 7