Are there alternatives to encrypting stored data?

Stored cardholder data should be rendered unreadable according to requirement 3 of the PCI Security Audit Procedures document. If encryption, truncation, or another comparable approach cannot be used, encryption options should continue to be investigated as the technology is rapidly evolving. In the interim, while encryption solutions are being investigated, stored data must be strongly protected by compensating controls.

An example of compensating controls for encryption of stored data is complex network segmentation that may include the following:

  • Internal firewall that specifically protect the database
  • TCP wrappers or firewall on the database to specifically limit who can connect to the database
  • Separation of the corporate internal network on a different network segment from production,
    fire- walled away from database servers.