Requirement 3: Protect Stored Account Data

PCI DSS 4.0.1 introduces three critical updates: 1) Explicit requirement for automated data discovery tools to identify all stored account data, 2) Mandated use of strong cryptography (minimum AES-128, RSA-2048) with documented cryptographic architecture, and 3) Enhanced focus on protecting data in serverless architectures and containerized environments. The update clarifies that disk-level encryption alone doesn't satisfy requirement 3.4 - application-layer encryption is required for PAN storage. New sub-requirements specifically address protection of authentication data in memory and temporary files.

Implement a unified encryption strategy using: 1) Cloud provider HSMs (AWS CloudHSM, Azure Dedicated HSM) for cloud data, 2) On-premises HSM appliances (Thales Luna, Entrust nShield) for physical systems, 3) Key management interoperability (KMIP) for cross-platform key sharing. Use envelope encryption with data keys encrypted by master keys stored in HSMs. For serverless architectures, implement runtime memory protection using tools like AWS Nitro Enclaves. Maintain detailed data flow diagrams showing encryption states across hybrid boundaries and conduct quarterly cryptographic architecture reviews.

Tokenization systems must: 1) Use format-preserving tokens (FPE) with strong cryptographic basis (FF3-1 algorithm), 2) Maintain complete separation between token vaults and CDE environments, 3) Implement dual control for token mapping database access, 4) Log all detokenization requests with multi-factor authentication. Conduct annual penetration testing specifically targeting tokenization systems and maintain evidence of vault segmentation validation. Cloud-based tokenization services must provide independent attestation of PCI DSS compliance (ROC for service providers).

Establish automated data lifecycle management with: 1) Classification tagging for all stored PAN (e.g., 'PCI-Data-Exp2025Q3'), 2) Scheduled deletion jobs using tools like Varonis Data Governance, 3) Write-once-read-many (WORM) configurations for archived data, 4) Quarterly attestation of data disposal processes. Implement database field-level retention policies (e.g., PostgreSQL AUTO_DELETE triggers) and cloud storage lifecycle rules (AWS S3 Object Expiration). Maintain disposal certificates from storage providers and sanitization logs from tools like Blancco Drive Eraser.

Implement real-time monitoring with: 1) File integrity monitoring (Tripwire, Wazuh) for encrypted files, 2) Database activity monitoring (Imperva, IBM Guardium) for encrypted columns, 3) Key usage auditing via HSMs, 4) Memory protection monitoring (Windows Credential Guard logs). Use machine learning anomaly detection (Darktrace, Vectra) for encrypted traffic patterns. Store logs in immutable format (AWS S3 Object Lock) with 90-day retention. Conduct monthly reviews of decryption activity patterns and quarterly comparisons against expected usage baselines.

Our cryptographic architecture uses layered encryption with: 1) Application-layer AES-256-GCM encryption of PAN before database insertion, 2) Column-level encryption in MySQL using AWS KMS-backed keys, 3) Volume encryption via LUKS with keys rotated every 90 days. The diagram shows separation between key management (Thales CipherTrust Manager in DMZ), encryption services (Vault Enterprise in secured zone), and data stores (Oracle Exadata in isolated VLAN). We maintain FIPS 140-2 Level 3 validation for all cryptographic modules and can demonstrate encryption state transitions through our data flow diagrams.

We run weekly scans using Spirion Data Discovery across all storage locations: 1) Network shares scanned via scheduled PowerShell scripts, 2) Cloud storage buckets monitored with AWS Macie and Azure Purview, 3) Database content analyzed using IBM Stored Data Discovery. Findings are categorized in ServiceNow with automatic ticket generation for unauthorized PAN storage. Our dashboard shows 98.7% coverage of storage locations, with exceptions documented for air-gapped legacy systems protected by physical controls. Scan reports include before/after comparisons showing remediation of false PAN storage incidents.

Our key lifecycle management process includes: 1) Quarterly rotation of encryption keys using Thales Key Management, 2) Dual-control key ceremonies documented via Jira Service Management tickets, 3) Automated key expiration alerts in Splunk, 4) Historical key archives stored in AWS Glacier with cryptographic shredding after 7 years. We maintain separation between production and test keys, with HSM-based quorum authentication requiring 2-of-3 security officer smart cards. Key usage is logged in HashiCorp Vault with RBAC policies limiting access to named cryptographers. Recent key rotation evidence includes Azure Key Vault rotation logs and corresponding database re-encryption jobs completion timestamps.