Payment Card Industry (PCI) Solution

Implementation: Section 3

PCI Requirement	Check Point Solution
3. Protect stored cardholder data
3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted). 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).	Section 3.1-3.3 refers to administrative (policy setting) and storage requirements not addressed by Check Point solutions. Check Point VARs, SIs, and business partners can provide consulting services to help an organization implement the storage protection requirements where cardholder data resides in an organization as outlined in these sections.
3.4 Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches: Strong one-way hash functions (hashed indexes) Truncation Index tokens and pads (pads must be securely stored) Strong cryptography with associated key management processes and procedures. The MINIMUM account information that must be rendered unreadable is the PAN. If for some reason, a company is unable to encrypt cardholder data, refer to Appendix B: "Compensating Controls for Encryption of Stored Data."	Check Point Full Disk Encryption delivers the highest level of data security by providing a strong, full-disk encryption solution for PCs and laptops as well as access control. New to PCI 1.1, for companies unable to comply with rendering cardholder data unreadable in requirement 3.4, Appendix B was added to address how companies can use compensating controls to become compliant when they have a legitimate technical reason. Check Point's VPN-1 and InterSpect can help provide the segmentation, access restriction, database access, and application/database attack security controls outlined in this section.

PCI Requirement

Check Point Solution

3. Protect stored cardholder data

3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.

3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted).

3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).

Section 3.1-3.3 refers to administrative (policy setting) and storage requirements not addressed by Check Point solutions.

Check Point VARs, SIs, and business partners can provide consulting services to help an organization implement the storage protection requirements where cardholder data resides in an organization as outlined in these sections.

3.4 Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:

Strong one-way hash functions (hashed indexes)
Truncation
Index tokens and pads (pads must be securely stored)
Strong cryptography with associated key management processes and procedures.

The MINIMUM account information that must be rendered unreadable is the PAN. If for some reason, a company is unable to encrypt cardholder data, refer to Appendix B: "Compensating Controls for Encryption of Stored Data."

Check Point Full Disk Encryption delivers the highest level of data security by providing a strong, full-disk encryption solution for PCs and laptops as well as access control.

New to PCI 1.1, for companies unable to comply with rendering cardholder data unreadable in requirement 3.4, Appendix B was added to address how companies can use compensating controls to become compliant when they have a legitimate technical reason. Check Point's VPN-1 and InterSpect can help provide the segmentation, access restriction, database access, and application/database attack security controls outlined in this section.

Go to Check Point Product Info:

Return to Implementation