WithPCI Logo
WithPCI.com

3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.

Customized Approach Objective

This requirement is not eligible for the customized approach.

Applicability Notes

Whether SAD is permitted to be stored prior to authorization is determined by the organizations that manage compliance programs (for example, payment brands and acquirers). Contact these organizations for any additional criteria.

This requirement applies to all storage of SAD, even if no PAN is present in the environment.

Refer to Requirement 3.2.1 for an additional requirement that applies if SAD is stored prior to completion of authorization.

Issuers and companies that support issuing services, where there is a legitimate and documented business need to store SAD, are not required to meet this requirement. A legitimate business need is one that is necessary for the performance of the function being provided by or for the issuer.

Refer to Requirement 3.3.3 for requirements specifically for these entities.

This requirement does not replace how PIN blocks are required to be managed, nor does it mean that a properly encrypted PIN block needs to be encrypted again.

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

3.3.2 Examine data stores, system configurations, and/or vendor documentation to verify that all SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.

Purpose

SAD can be used by malicious individuals to increase the probability of successfully generating counterfeit payment cards and creating fraudulent transactions.

Good Practice

Entities should consider encrypting SAD with a different cryptographic key than is used to encrypt PAN. Note that this does not mean that PAN present in SAD (as part of track data) would need to be separately encrypted.

Definitions

The authorization process is completed when a merchant receives a transaction response (for example, an approval or decline) .

Refer to Appendix G for the definition of "authorization."

purpose

Protect sensitive authentication data while stored for legitimate business needs prior to authorization.

compliance strategies

  • Strong encryption
  • Access controls

typical policies

  • Sensitive Data Encryption Policy

common pitfalls

  • Weak encryption
  • Overly broad access

type

Technical Control

difficulty

High

key risks

  • SAD compromise before authorization

recommendations

  • Use FIPS 140-2 validated encryption

Eligible SAQ

  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy