Understanding PCI DSS Encryption Requirements in 2025

Over the shoulder view of an engineer working on code

Payment card transactions are an integral part of daily life, so ensuring the security of sensitive cardholder data is crucial. PCI DSS, or the Payment Card Industry Data Security Standard, provides a comprehensive set of guidelines to help businesses protect cardholder data and maintain secure systems. 

With the release of PCI DSS 4.0.1 in 2024 and the approaching enforcement deadline of March 31, 2025 for many of the new requirements, organizations need to understand how encryption requirements have evolved to address emerging threats in the payment card ecosystem.

One of the most critical aspects of PCI DSS compliance is encryption. But what exactly is encryption, and why is it so important for PCI DSS? In this post, we’ll explore the role of encryption in PCI DSS compliance and discuss best practices for implementing robust encryption solutions to safeguard your customers’ sensitive data.

As Christopher Strand, PCIP (Strategic Advisor, Thoropass) mentioned in a recent PCI DSS webinar hosted by Thoropass, “PCI will state that 4.0 is the biggest change to PCI in a long time. It’s one of the biggest releases of the standard in a while.” Understanding these changes, particularly around encryption and continuous security monitoring, is critical for maintaining compliance and protecting cardholder data.

Understanding and implementing PCI DSS encryption requirements can significantly reduce your risk of data breaches, financial losses, and reputational damage. By following these guidelines, businesses can ensure the confidentiality, integrity, and availability of cardholder data, ultimately providing a more secure and trustworthy environment for customers. 

Key takeaways

  • Encryption is essential for PCI DSS compliance and protecting cardholder data. Strong encryption algorithms, key management techniques and regularly testing/updating protocols are best practices to reduce the risk of data breaches and maintain compliance
  • Network security controls, access control measures, and monitoring/logging system activity also help meet additional requirements
  • Continuous analysis and monitoring are increasingly emphasized in PCI DSS 4.0/4.0.1. Automated security tools can significantly streamline compliance efforts
  • Supply chain security has received enhanced scrutiny in the updated standard

Key PCI DSS encryption requirements

To achieve PCI DSS compliance, organizations must fulfill specific encryption requirements, focusing on safeguarding stored cardholder data, ensuring secure data transmission, and effectively managing encryption keys. Implementation of these requirements enables businesses to protect sensitive information from unauthorized access while preserving the confidentiality, integrity, and availability of cardholder data.

PCI DSS 4.0.1 clarifies several aspects of encryption requirements, particularly for organizations that handle sensitive authentication data (SAD). The updated standard emphasizes that any SAD storage must be based on “a legitimate and documented business need” and provides clearer guidance on what constitutes such a need.

Encryption algorithms with at least 128 bits of effective key strength should be utilized, and appropriate key management practices should be adhered to, as per the recommendations of PCI DSS. AES, for instance, meets these requirements due to its NIST approval and widespread industry adoption. Usually, this encryption process occurs via one of the following methods:

  • One-way hash functions
  • Truncation
  • Index tokens and securely stored data pads

Requirement 3: Safeguard stored cardholder data

Requirement 3 of PCI DSS compliance underscores the critical role of access control and encryption in safeguarding stored cardholder data from unauthorized access. This requirement comprises several sub-requirements:

  • Requirement 3.1: Keep cardholder data storage to a minimum. Do not store sensitive authentication data after authorization.
  • Requirement 3.2: Do not store sensitive authentication data after authorization. (Note the subtle but important language change from “retain” to “store” in the 4.0.1. update)
  • Requirement 3.3: Mask PANs when displayed.
  • Requirement 3.4: Render PAN unreadable anywhere it is stored.
  • Requirement 3.5: Protect cryptographic keys used for encryption of cardholder data against disclosure and misuse.
  • Requirement 3.6: Fully document and implement all key-management processes and procedures for cryptographic keys.
  • Requirement 3.7: Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.

PCI DSS 4.0.1 also provides additional guidance on when it may be acceptable to store SAD in non-persistent memory, which can be important for certain transaction processing workflows. By adhering to these sub-requirements, organizations can ensure robust access control measures, thereby significantly reducing the risk of data breaches.

The preferred encryption method for PCI DSS compliance is AES (Advanced Encryption Standard), which guarantees the confidentiality and integrity of stored cardholder data. To further enhance security, organizations should employ proper key management techniques, such as securely storing encryption keys separately from encrypted data and implementing access controls to prevent unauthorized access.

Requirement 4: Secure transmission of cardholder data

Requirement 4 of PCI DSS mandates the use of strong encryption protocols, such as Secure Sockets Layer (SSL v3.0 or higher) or Transport Layer Security (TLS v1.2 or higher), for transmitting cardholder data over public networks. These protocols ensure the confidentiality and integrity of cardholder data during transmission, preventing unauthorized individuals from intercepting and deciphering sensitive information.

This requirement also comprises several sub-requirements:

  • Requirement 4.1: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open public networks.
  • Requirement 4.2: Never send unprotected PANs by end-user messaging technologies.
  • Requirement 4.3: It is imperative for companies to meticulously document, put into action, and disseminate all security policies and operational procedures that are pertinent to the protection of cardholder data.

Organizations should regularly update and test their encryption protocols to identify and address potential vulnerabilities and maintain compliance with the latest security standards. Compliance with Requirement 4 enables businesses to safeguard cardholder data during transmission effectively, mitigating the risk of data breaches and unauthorized access.

Close up of a laptop and checklist
Continued Reading
Encryption is just one part of achieving PCI DSS compliance

Use this checklist to work through the 12 essential requirements for safeguarding cardholder data.

Your PCI DSS compliance checklist: The 12 essential requirements icon-arrow-long

Best encryption practices for PCI DSS 

To ensure robust protection of cardholder data, organizations should follow best practices for PCI DSS encryption, including choosing strong encryption algorithms, implementing key management techniques, and regularly testing and updating encryption protocols. Adhering to these best practices significantly reduces the risk of data breaches and unauthorized access to sensitive information.

PCI DSS 4.0/4.0.1 places increased scrutiny on the entire payment ecosystem, including third-party service providers. 

Implementation of these best practices allows organizations to create a more secure environment for customers, thereby fostering trust and confidence in their payment card transactions. 

One-way hash functions

PCI DSS 4.0.1 provides important clarifications regarding one-way hash functions. The updated standard specifies that when using cryptographic hashes to protect PAN data, organizations should implement keyed cryptographic hashes with associated key management processes and procedures as an additional control to prevent correlation attacks. By March 2025, specific requirements for cryptographic hash implementations will replace the general guidance in Requirement 3.5.1.

Truncation

Truncation is another method used to protect sensitive data. It involves removing a portion of the data to make it unreadable and less useful to potential attackers. For instance, only a portion of the card number may be kept when storing cardholder data, while the rest is discarded. This renders the remaining data useless for fraudulent activities, as the complete card number is needed for processing transactions.

Index tokens and securely stored pads

Index tokens and securely stored pads offer another layer of security in PCI DSS compliance. Index tokens replace cardholder data with a non-sensitive equivalent, known as a token. These tokens have no meaningful value and can be used in place of sensitive data in a database or internal system. Securely stored pads, on the other hand, are secret random keys known only to the sender and receiver. They’re used to convert plaintext into ciphertext and vice versa, adding another layer of data protection.

Strong cryptography

Strong cryptography is a key requirement in PCI DSS compliance. It involves the use of algorithms that have been widely tested and accepted by the international cryptography community. The PCI Security Standards Council specifies a minimum of 112-bits of effective key strength and proper key management practices as essential requirements for all cryptographic implementations. Strong cryptographic methods, such as RSA, ECC, and DSA, are effective in protecting sensitive data during transmission over public networks, as well as when stored.

PCI DSS 4.0/4.0.1 emphasizes not just implementing strong cryptography but continuously monitoring and testing these implementations. 

AES encryption

Advanced Encryption Standard (AES) is a widely adopted and recommended encryption method for PCI DSS compliance. AES is a symmetric key algorithm that provides strong security and has been approved by the National Institute of Standards and Technology (NIST). With key lengths of 128, 192, or 256 bits, AES provides a high level of security for sensitive data, making it an ideal choice for organizations aiming to achieve PCI DSS compliance.

Meeting additional PCI DSS compliance requirements

In addition to encryption requirements, achieving PCI DSS compliance involves implementing various network security controls, restricting access to cardholder data, and monitoring and logging system activity. Addressing these additional requirements allows organizations to bolster their security posture further and provide a safer environment for cardholder data.

A critical first step in PCI DSS compliance that experts consistently emphasize is proper scoping.

Proper scoping ensures you apply appropriate security controls to all systems that store, process, or transmit cardholder data or could impact the security of those systems.

Implementing network security controls

Network security controls, such as firewalls and intrusion detection systems, play a vital role in protecting cardholder data environments from external threats. Firewalls help control incoming and outgoing network traffic, preventing unauthorized access to sensitive data, while intrusion detection systems monitor for potential security breaches and alert organizations to suspicious activity.

A critical component of Requirement 11.3.2 is the use of Approved Scanning Vendors (ASVs). An ASV is an organization with a set of security services and tools (known as an “ASV scan solution”) to conduct external vulnerability scanning services to validate adherence with the external scanning requirements. The scanning vendor’s ASV scan solution is tested and approved by the PCI Security Standards Council (PCI SSC) before an ASV is added to PCI SSC’s List of Approved Scanning Vendors. PCI DSS 4.0.1 further clarifies that vulnerabilities identified during these external vulnerability scans should be incorporated into the entity’s vulnerability management process and draw from multiple vulnerability sources.

The implementation of robust network security controls enables organizations to:

  • Protect cardholder data environments from potential threats effectively
  • Maintain PCI DSS compliance
  • Regularly test and update these controls
  • Stringently monitor network activity

These measures further ensure the security and integrity of sensitive cardholder data, effectively working to secure cardholder data and protect stored cardholder data. Under PCI DSS 4.0/4.0.1, there’s increased emphasis on continuous monitoring rather than point-in-time assessments. Technologies that provide real-time visibility into network security posture are becoming essential for meeting the evolving requirements.

Restricting access to cardholder data

Restricting access to cardholder data based on the principle of least privilege helps ensure that only authorized individuals have access to sensitive information. Least privilege entails granting access rights only to those who require it for their job responsibilities, minimizing the potential for unauthorized access and data breaches.

Strong access control measures, such as role-based access control (RBAC), unique user accounts and passwords, and physical access restrictions, can further enhance cardholder data security. Adherence to these best practices allows organizations to protect sensitive cardholder data effectively and maintain PCI DSS compliance.

Monitoring and logging system activity

Monitoring and logging system activity is critical for detecting and responding to potential security incidents and maintaining compliance with PCI DSS requirements. Organizations should utilize automated tools to monitor and log system activity to identify and address potential vulnerabilities in their cardholder data environments.

Regular review of system logs helps organizations spot unusual activity, ensuring that they are meeting PCI DSS requirements and maintaining a secure environment for cardholder data. Implementation of effective monitoring and logging practices allows organizations to proactively address security threats and protect sensitive cardholder data.

Foster trust through PCI DSS compliance with Thoropass

PCI Data Security Standards (PCI DSS) 4.0.1 is required for any businesses that process, store, or transmit credit cards and is enforced by the Card Brands and Acquiring Banks. Thoropass streamlines and accelerates your certification by combining automation with self-assessment support and expert insights. Get certified faster with less work and headaches.

Our end-to-end experience for PCI DSS compliance:

  • STEP 1 – Kick-off: After a technical deep-dive and gap analysis with your team, Thoropass’s experts customize your PCI readiness and compliance roadmap
  • STEP 2 – Onboarding: Get up and running in minutes with PCI policy and procedure templates, native integrations, and collaboration tools
  • STEP 3 – Implementation: Put PCI DSS controls into operation with guided workflows, continuous monitors, action items, project management tools, and expert support
  • STEP 4 – PCI DSS audit: Ready your business for a successful PCI DSS audit or self-attestation with automated evidence-gathering and expert guidance
  • STEP 5 – And beyond… Leverage our complete platform to recertify PCI DSS, add more compliance frameworks, and maintain continuous compliance

More FAQs about PCI DSS encryption requirements

The PCI DSS encryption requirements include one-way hash functions, strong cryptography, truncation, securely stored data pads and index tokens, and the use of AES (128-bit or higher), RSA (2048 bits or higher), TDES/TDEA, DSA/D-H (2048/224 bits or higher), and ECC (224 bits or higher).

PCI DSS does not require end-to-end encryption, only data concealment of PAN.

To secure data encryption keys according to PCI DSS, key access should be restricted to the fewest custodians possible, and the strength of the cryptographic keys should match that of the data-encrypting keys, with both stored separately.

Access to the keys should be limited to only those who need it, and the keys should be stored in a secure location. The keys should be regularly rotated and monitored to ensure that they remain secure. Additionally, the keys should be backed up in case of an emergency.

For PCI DSS compliance, AES (128-bit or higher), RSA (2048 bits or higher), TDES/TDEA, DSA/D-H (2048/224 bits or higher), and ECC (224 bits or higher) are the recommended encryption algorithms.

Effective encryption algorithms, proficient key management strategies, and consistent protocol testing and updates are crucial principles for safeguarding data in accordance with PCI DSS encryption standards.

Oro provides content designed to educate and help audiences on their compliance journey.

Share this post with your network:

Related Posts

Healthcare cyberattacks are rising fast. Here’s how to stop them before they start.

Cyberattacks in healthcare aren't just rising—they're exploding. While 97% of healthcare professionals feel confident in their organization's ability to defend against cyber threats, the reality paints a different picture. In...
Read Article icon-arrow

Cybersecurity risk management: Strategic approaches for enterprise protection

For mid-size enterprises, cybersecurity risk management has evolved beyond a simple compliance checkbox into a strategic business imperative. As threats grow more sophisticated and regulatory requirements multiply, large organizations find...
Read Article icon-arrow