3.3 Sensitive authentication data (SAD) is not stored after authorization.
This requirement focuses on ensuring that sensitive authentication data is not stored after authorization. It ensures that organizations have controls in place to prevent the storage of sensitive authentication data after the authorization process is complete.
Sub-requirements
- 3.3.1: SAD is not stored after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process.
- 3.3.1.1: The full contents of any track are not stored upon completion of the authorization process.
- 3.3.1.2: The card verification code is not stored upon completion of the authorization process.
- 3.3.1.3: The personal identification number (PIN) and the PIN block are not stored upon completion of the authorization process.
- 3.3.2: SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.
- 3.3.3: Additional requirement for issuers and companies that support issuing services and store sensitive authentication data
3.3. Sensitive authentication data (SAD) is not stored after authorization.
Ensure that SAD, such as full track data, CVV, and PINs, is never stored after authorization, even if encrypted.
Key Risks
Frequently Asked Questions
What is considered sensitive authentication data?
Full track data, card verification codes (CVV), and PINs or PIN blocks.
Can SAD be stored if it is encrypted?
No, SAD must not be stored after authorization, even if encrypted.
How do you ensure SAD is not stored?
By configuring applications to never retain SAD and using data discovery tools to scan for it.
What if SAD is found in storage?
It must be deleted immediately, and the incident should be investigated and remediated.
Are there exceptions for issuers?
Issuers may store SAD only if necessary for business and must protect it with strong controls.
Common QSA Questions
Can you demonstrate that SAD is not stored after authorization?
We have automated controls and regular scans in place to ensure SAD is never stored post-authorization.
How do you detect and respond to unauthorized SAD storage?
We use data discovery scans and incident response procedures to detect and remediate any unauthorized storage.
Are there any business processes that require SAD storage?
Only issuer-related processes, and those are strictly controlled and documented.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy