3.3.1 SAD is not stored after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process.
This requirement has the following sub-requirements:
- 3.3.1.1 The full contents of any track are not stored upon completion of the authorization process.
- 3.3.1.2 The card verification code is not stored upon completion of the authorization process.
- 3.3.1.3 The personal identification number (PIN) and the PIN block are not stored upon completion of the authorization process.
Defined Approach Requirements
3.3.1 SAD is not stored after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process.
Customized Approach Objective
This requirement is not eligible for the customized approach.
Applicability Notes
Issuers and companies that support issuing services, where there is a legitimate and documented business need to store SAD, are not required to meet this requirement. A legitimate business need is one that is necessary for the performance of the function being provided by or for the issuer. Refer to Requirement 3.3.3 for additional requirements specifically for these entities.
Sensitive authentication data includes the data cited in Requirements 3.3.1.1 through 3.3.1.3.
Defined Approach Testing Procedures
3.3.1.a If SAD is received, examine documented policies, procedures, and system configurations to verify the data is not stored after authorization.
3.3.1.b If SAD is received, examine the documented procedures and observe the secure data deletion processes to verify the data is rendered unrecoverable upon completion of the authorization process.
Purpose
SAD is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions. Therefore, the storage of SAD upon completion of the authorization process is prohibited.
Good Practice
It may be acceptable for an entity to store SAD in non-persistent memory for a short time after authorization is complete, if following conditions are met:
- There is a legitimate business need to access SAD in memory after authorization is complete.
- SAD is only ever stored in non-persistent memory (for example, RAM, volatile memory).
- Controls are in place to ensure that memory maintains a non-persistent state.
- SAD is removed as soon as the business purpose is complete.
It is not permissible to store SAD in persistent memory.
Definitions
The authorization process completes when a merchant receives a transaction response (for example, an approval or decline).
Refer to [Appendix G](Appendix G) for the definition of "authorization."
Sub-Requirements
- 3.3.1.1 The full contents of any track are not stored upon completion of the authorization process.
- 3.3.1.2 The card verification code is not stored upon completion of the authorization process.
- 3.3.1.3 The personal identification number (PIN) and the PIN block are not stored upon completion of the authorization process.
purpose
Do not store sensitive authentication data after authorization.
compliance strategies
- Data discovery scans
- Automated deletion routines
typical policies
- Sensitive Data Handling Policy
common pitfalls
- SAD stored post-authorization
type
Technical/Process Control
difficulty
High
key risks
- Regulatory fines, increased breach risk
recommendations
- Automate SAD deletion and monitor storage
Eligible SAQ
- SAQ-A-EP
- SAQ-B
- SAQ-B-IP
- SAQ-C
- SAQ-C-VT
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy