WithPCI Logo
WithPCI.com

Data Protection & Encryption Policy Template
Company Name [Company Name]
Effective Date [Date]
Version [Version Number, e.g., 1.0]
Policy Owner [CISO/IT Director]
Document Classification Confidential / Internal Use Only
Parent Policy Information Security Policy

Purpose

This policy defines the requirements for protecting the confidentiality, integrity, and availability of [Company Name]'s sensitive information assets throughout their lifecycle (creation, processing, storage, transmission, disposal). It establishes standards for data classification, handling, storage, encryption, key management, data loss prevention, and disposal to minimize the risk of unauthorized access, disclosure, alteration, or destruction, ensuring compliance with legal, regulatory (including PCI DSS 4.0.1), and contractual obligations.

Scope

This policy applies to all sensitive data created, owned, processed, stored, or transmitted by [Company Name] or on its behalf, regardless of format (digital, physical) or location (on-premises data centers, cloud environments, endpoints, removable media, backups). Sensitive data includes, but is not limited to, Cardholder Data (CHD), Personally Identifiable Information (PII), Protected Health Information (PHI), Intellectual Property (IP), financial records, employee information, and other proprietary or confidential business data. All employees, contractors, consultants, temporary staff, and third-party service providers with access to sensitive data are subject to this policy.

Roles and Responsibilities

Role/Group Key Responsibilities
Executive Management Provide oversight and resources for the data protection program; Establish acceptable risk levels for data handling.
CISO/IT Director Own and approve this policy; Oversee the implementation and effectiveness of data protection controls; Ensure compliance with relevant regulations.
Information Security Team Develop and maintain data protection standards (incl. encryption, key mgmt); Manage DLP systems; Monitor for data security incidents; Conduct security assessments; Oversee HSMs if applicable.
Data Owners (e.g., Dept Heads) Classify data within their functional area; Define access requirements; Ensure compliance with data retention schedules; Approve data handling procedures for their data.
Data Custodians (e.g., IT Admins) Implement and manage technical controls (encryption, access controls, backups) according to policy and Data Owner requirements; Securely store and dispose of data/media.
Legal & Compliance Advise on legal/regulatory requirements (PCI DSS, GDPR, CCPA etc.); Review data sharing agreements; Assist with data subject requests and breach notifications.
Network Engineering Team Implement network segmentation and controls supporting Data Storage Zoning; Configure network DLP components.
Application Development Team Incorporate data protection principles (secure coding, encryption, masking) into application design and development; Minimize data collection and storage.
All Users Handle sensitive data according to its classification and this policy; Complete required security awareness training; Report potential data loss or misuse immediately.
Human Resources (HR) Ensure data protection responsibilities are included in job descriptions; Manage employee data securely; Coordinate training.

Policy Requirements

1. Data Classification

  • All company data must be classified based on its sensitivity, criticality, and legal/regulatory requirements. A formal data classification scheme must be maintained (e.g., Public, Internal, Confidential, Restricted/Sensitive).
  • Cardholder Data (CHD) and Sensitive Authentication Data (SAD) are automatically classified at the highest sensitivity level (e.g., Restricted/Sensitive).
  • Data Owners are responsible for classifying data within their purview.
  • Appropriate security controls (access, encryption, handling, disposal) must be applied based on the data's classification level.

2. Data Handling and Minimization

  • Collect, process, and store only the minimum sensitive data necessary for legitimate business purposes.
  • Sensitive data must not be stored, copied, or used in non-production environments (development, testing) unless it is appropriately obfuscated (masked, tokenized) according to Section 8. Production data (live PANs) must not be used for testing or development (PCI DSS Req 6.4.2).
  • Printing or creating physical copies of sensitive data should be avoided unless strictly necessary and must be handled securely (e.g., stored in locked containers, shredded when no longer needed).
  • Transmission of sensitive data must utilize secure, encrypted channels (See Section 5).

3. Data Storage Zoning Policy

  • Implement logical and/or physical network segmentation to create distinct security zones based on data classification and system criticality.
  • The Cardholder Data Environment (CDE) must be strictly isolated from all other network zones, including corporate LANs, guest networks, and less trusted environments, using firewalls and restrictive access controls.
  • Systems storing different classifications of data should reside in appropriately secured network zones with controls matching the highest data classification level within that zone.
  • Data flows between zones must be strictly controlled via firewalls, allowing only necessary traffic based on documented business justifications (PCI DSS Req 1).

4. PAN Storage Justification and Protection (PCI DSS Specific)

  • Storing Primary Account Numbers (PAN) after authorization is prohibited unless essential for a legitimate business need.
  • All requirements to store PAN must be formally documented, including the specific business justification, data owner approval, and adherence to the data retention schedule. This documentation must be reviewed at least annually.
  • If PAN is stored, it must be rendered unreadable anywhere it is stored (including portable digital media, backup media, logs) using one of the following methods (PCI DSS Req 3.5):
    • Strong cryptography (See Section 5 & 6).
    • Tokenization systems (with tokens that cannot be correlated back to the PAN outside the secure token vault).
    • Hashing using strong, industry-accepted algorithms (e.g., SHA-256 or higher, appropriately salted).
    • Truncation (ensuring the truncated segment cannot be used to reconstruct the full PAN - first six/last four is the maximum displayable).
  • The full PAN must never be sent unprotected via end-user messaging technologies (e.g., email, instant messaging, SMS, chat).
  • Sensitive Authentication Data (SAD - e.g., full track data, CVV2, PIN) must never be stored after authorization, even if encrypted.

5. Encryption of Data in Transit

  • All transmission of sensitive data, especially CHD, over open, public networks (e.g., internet, wireless networks) must be encrypted using strong cryptography and security protocols (See Section 6).
  • Internal transmission of sensitive data across trusted network segments should also utilize encryption where feasible and required by risk assessment or specific regulation.
  • Ensure only secure protocols and configurations are enabled (e.g., disable SSL/early TLS, weak ciphers).

6. Cryptographic Standards

  • Maintain documented standards defining approved cryptographic algorithms, key lengths, and protocols for data encryption (at rest and in transit) and key management. These standards must align with industry best practices and relevant regulations (e.g., PCI DSS Appendix A2, NIST guidelines).
  • Approved Algorithms (Examples - Review and Update Regularly):
    • Symmetric Encryption (Data at Rest): AES (128-bit minimum, 256-bit recommended).
    • Asymmetric Encryption (Key Exchange/Digital Signatures): RSA (2048-bit minimum, 3072-bit+ recommended), ECC (256-bit+ recommended).
    • Hashing (Integrity/PAN Storage): SHA-256 or higher.
    • Transmission Protocols: TLS 1.2 minimum, TLS 1.3 strongly recommended. SSHv2 with strong ciphers.
  • Prohibit the use of known weak or compromised algorithms and protocols (e.g., SSL, early TLS, WEP, DES, MD5, SHA-1 for security purposes).
  • Standards must be reviewed and updated at least annually or when new vulnerabilities or best practices emerge.

7. Cryptographic Key Management

  • Implement documented policies and procedures for the secure lifecycle management of cryptographic keys, including generation, distribution, storage, usage, rotation, backup/recovery, and destruction.
  • Keys used for encrypting sensitive data (especially CHD) must be managed securely, separate from the encrypted data, and with access strictly limited based on need-to-know and defined roles.
  • Implement strong access controls for key management systems and processes.
  • Key-encrypting keys must be at least as strong as the data-encrypting keys they protect.
  • Key rotation frequency must be defined based on risk and regulatory requirements (e.g., annually for keys protecting CHD, or upon suspected compromise).
  • Procedures must exist for responding to key compromise.
  • HSM Configuration Standard (If Applicable):
    • If Hardware Security Modules (HSMs) are used for key generation, storage, or cryptographic operations, they must be configured and managed according to industry best practices and vendor recommendations.
    • HSMs must be physically secured in controlled environments.
    • Logical access to HSM administration must be strictly controlled using multi-person control (split knowledge/dual control) and strong authentication (MFA).
    • HSM configurations must be hardened (default passwords changed, unnecessary services disabled).
    • HSM logs must be securely captured, monitored, and retained.
    • HSM firmware must be kept up-to-date.
    • Regular audits of HSM configuration and usage must be performed.

8. IP Obfuscation Procedure (Data Masking / Tokenization)

  • Implement techniques like data masking, tokenization, or anonymization to obfuscate or de-identify sensitive data, especially PAN and PII, when used in non-production environments (e.g., development, testing, analytics) or displayed to users not explicitly authorized to see the full data set.
  • Masking: PAN must be masked when displayed such that only the maximum of the first six and last four digits are shown (PCI DSS Req 3.4). Similar principles should apply to other sensitive numeric identifiers.
  • Tokenization: If tokenization is used to replace PAN, the tokenization system must be implemented securely, ensuring tokens cannot be correlated back to the original PAN outside the secure token vault, and the vault itself must be secured within the CDE and protected according to PCI DSS.
  • Implementation: Obfuscation techniques must be implemented securely, ensuring the original sensitive data cannot be easily reversed or inferred. Access to systems performing obfuscation or de-obfuscation must be strictly controlled.
  • Procedures must document approved obfuscation methods, use cases, and implementation standards.

9. Data Loss Prevention (DLP) Policy

  • Implement Data Loss Prevention (DLP) technologies and processes to detect and/or prevent the unauthorized exfiltration or leakage of sensitive data from endpoints, networks, email systems, and cloud applications.
  • Define DLP rules based on data classification, content inspection (keywords, regular expressions for PAN/PII), and contextual analysis (user, destination, protocol).
  • Configure DLP systems in monitoring mode initially to establish baselines and fine-tune rules, then implement blocking actions based on risk tolerance and approved policies.
  • Establish clear procedures for investigating and responding to DLP alerts, including escalation paths and incident response integration.
  • Regularly review and update DLP rulesets to reflect changes in data sensitivity, business processes, and threat landscape.
  • Manage DLP system configurations securely, restricting administrative access and logging all changes.

10. Data Retention and Disposal

  • Establish and maintain a data retention schedule defining how long different types of data (based on classification and legal/regulatory requirements) must be kept. Minimize retention periods to only what is necessary for business, legal, or regulatory purposes.
  • PAN data storage must be kept to a minimum, explicitly linked to the documented business justification and retention schedule (PCI DSS Req 3.1). Implement processes to securely delete or render unreadable stored PAN data when no longer needed.
  • Implement secure processes for disposing of sensitive data, regardless of media type (digital, physical).
    • Digital media must be securely wiped (using industry-accepted methods like NIST SP 800-88), degaussed, or physically destroyed (shredded, pulverized).
    • Physical media (paper) containing sensitive data must be cross-cut shredded, incinerated, or pulped.
  • Maintain records of data disposal activities, especially for sensitive data or regulated data types.

11. Data Transfer and Third-Party Sharing

  • Transfer of sensitive data to third parties must be subject to due diligence (per TPSP Policy), contractual agreements specifying data protection responsibilities, and secure transfer mechanisms (See Section 5).
  • Data sharing agreements must clearly define the scope of data shared, purpose, permitted uses, security requirements, breach notification obligations, and data return/destruction requirements.

12. Monitoring, Auditing, and Compliance

  • Implement mechanisms to monitor access to sensitive data and detect potential unauthorized activities (e.g., SIEM correlation, database activity monitoring).
  • Regularly audit data protection controls (e.g., encryption configurations, key management practices, DLP effectiveness, access logs) to ensure compliance with this policy and relevant regulations.
  • Maintain documentation of data protection measures, risk assessments, audits, and compliance activities.

Enforcement

  • Failure to comply with this Data Protection & Encryption Policy may result in disciplinary action, up to and including termination of employment or contract, in accordance with established HR policies and contractual agreements.
  • Violations may also lead to legal or regulatory penalties for the company.
  • Exceptions to this policy require a documented business justification, formal risk assessment outlining potential impacts and compensating controls, and written approval from the CISO/IT Director and potentially Legal/Executive Management based on risk. Approved exceptions must be reviewed at least annually.

Revision History

Version Date Author Change Details
1.0 [Date] [Author Name] Initial policy release
[Ver #] [Date] [Author Name] [Summary of changes]

Approval

Name Title Signature Date
[Exec Name] [Executive Title, e.g., CIO] [Date]
[CISO Name] [CISO/IT Director Title] [Date]

Appendix Appendix Appendix A: Data Classification Levels - Example

Level Description Examples Handling Requirements (Illustrative)
4 - Restricted / Sensitive Highest sensitivity. Unauthorized disclosure could cause severe damage. Regulated data. CHD, SAD, PHI, Gov IDs, Authentication Data, Critical IP Strict Need-to-Know Access, Encryption Required (Rest & Transit), Strict Retention/Disposal, Audit Logs
3 - Confidential Sensitive internal data. Unauthorized disclosure could harm operations/reputation. Financial Records, Employee PII, Business Strategy, Contracts Limited Internal Access, Encryption Recommended/Required based on Risk, Secure Handling/Disposal
2 - Internal Use Data not intended for public release. Disclosure unlikely to cause major harm. Internal Memos, Org Charts, Non-Sensitive Project Docs General Internal Access, Standard Security Controls, Prevent Public Disclosure
1 - Public Information approved for public release. Marketing Materials, Press Releases, Public Website Content No Specific Restrictions

Appendix Appendix B: Cryptographic Standards - Summary Table (Example)

Use Case Minimum Standard Recommended Standard Prohibited Key Management Requirement
Data at Rest (PAN) AES-128 AES-256 DES, 3DES (2-key), Blowfish Strong Key Mgmt (Sec 7), HSM Recommended
Data at Rest (Other Sensitive) AES-128 / Risk Based AES-256 DES, 3DES (2-key) Strong Key Mgmt (Sec 7)
Data in Transit (Public Network) TLS 1.2 (Strong Ciphers) TLS 1.3 SSL v2/v3, TLS 1.0/1.1, Weak Ciphers Use Trusted CAs, Validate Certs
Data in Transit (Internal) TLS 1.2 / Risk Based TLS 1.3 Unencrypted, SSL/Early TLS Internal CA or Strong Config Recommended
Hashing (Integrity/PAN) SHA-256 SHA-384 / SHA-512 MD5, SHA-1 Use Salt where appropriate
Key Exchange RSA 2048 / ECC 256 RSA 3072+ / ECC 384+ RSA <2048, ECC <256 Secure Generation & Exchange
Wireless Encryption WPA2-PSK (AES) / WPA2-Ent WPA3-PSK (SAE) / WPA3-Ent WEP, WPA-TKIP Strong Passphrase / Secure EAP Method (e.g., EAP-TLS)

Note: This table is illustrative and must be reviewed/updated regularly based on current industry standards and threat landscape.

Appendix Appendix C: Cryptographic Key Management Lifecycle - Phases

  1. Generation: Create keys using approved algorithms and sufficient entropy, ideally within secure hardware (HSM) or approved software libraries.
  2. Distribution/Installation: Securely transport and install keys onto authorized systems/applications. Use secure protocols and protect keys during transit (e.g., wrapped with key-encrypting keys).
  3. Storage: Store keys securely, separate from the data they protect. Protect keys using strong access controls and potentially encryption (using key-encrypting keys). Utilize HSMs for high-assurance storage where required.
  4. Usage: Control key usage based on defined roles and permissions. Log all key usage operations.
  5. Rotation: Replace keys periodically according to defined schedules (e.g., annually) or upon suspected compromise. Ensure smooth transition to new keys.
  6. Backup/Recovery: Securely back up cryptographic keys and associated parameters necessary for recovery. Test recovery procedures periodically. Store backups securely, potentially offline.
  7. Revocation/Destruction: Securely revoke or destroy keys when they are no longer needed, compromised, or retired. Ensure keys cannot be recovered after destruction using methods like crypto-shredding or physical destruction of HSMs/media.

Appendix Appendix D: PCI DSS 4.0.1 Data Protection & Encryption Requirements Mapping

PCI DSS Requirement Relevant Policy Section(s) Key Controls Covered
Req 3 (Overall) Policy Req 1, 2, 4, 5, 6, 7, 8, 10 Protect Stored Account Data (Minimize, Mask, Truncate, Encrypt, Key Mgmt, Secure Deletion)
3.1 Policy Req 10 (Data Retention), Req 4 (PAN Justification) Keep CHD storage to a minimum; Data retention and disposal policies.
3.3 Policy Req 4 (PAN Protection) Mask PAN when displayed (max first 6/last 4).
3.4 Policy Req 4 (PAN Protection), Req 8 (IP Obfuscation) Render PAN unreadable wherever stored (Encryption, Tokenization, Hashing, Truncation).
3.5 (Incl 3.5.1) Policy Req 7 (Key Management, HSM), Req 6 (Crypto Standards) Documented procedures for protection of keys used for encryption of stored CHD; Restrict access; Secure storage/distribution.
3.6 (Incl 3.6.1-3.6.4) Policy Req 7 (Key Management, HSM) Documented key management processes covering full lifecycle, limited crypto periods, rotation, replacement, retirement.
3.7 (Incl 3.7.1) Policy Req 7 (Key Management) Documented security policies and operational procedures for key management.
Req 4 (Overall) Policy Req 5 (Encryption In Transit), Req 6 (Crypto Standards) Protect CHD with strong cryptography during transmission over open, public networks.
4.1 Policy Req 5 (Encryption In Transit), Req 6 (Crypto Standards) Use strong crypto and secure protocols (e.g., TLS Req 1.2+) for CHD transmission over open networks.
4.2 (Incl 4.2.1) Policy Req 5 (Encryption In Transit), Req 4 (PAN Protection - End User Msg) Never send unprotected PANs by end-user messaging; Use strong crypto for wireless transmission (Appendix Appendix B).
6.4.2 Policy Req 2 (Data Handling), Req 8 (IP Obfuscation) Prohibit use of production data (live PANs) for testing/development.
9.5.1.2 (New) Policy Req 10 (Data Disposal - Digital) Securely render stored CHD on electronic media unrecoverable upon disposal.
10.7 Policy Req 10 (Data Retention), Req 4 (PAN Justification) Retain audit logs for at least one year (related to data access/protection).
12.2 Policy Req 3, 4, 6, 7, 8, 9, 10 Risk assessment process considers threats to sensitive data (implied).
12.8 Policy Req 11 (Data Transfer/Third-Party) Requirements for TPSPs handling sensitive data.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy