PCI-DSS
PCI-DSS 3.5: Protect Stored Account Data Explained
Do not store sensitive authentication data after authorization and protect stored cardholder data with strong cryptography.
OFFICIAL REFERENCE (PARAPHRASED)
Primary account number is secured wherever it is stored. (PCI DSS v4.0.1 Requirement 3.5.1)
Last reviewed: June 2026. Not legal or audit advice.
WHAT EVIDENCE SATISFIES THIS
- ✓ Data retention and storage policy
- ✓ Encryption configuration for stored CHD
- ✓ Key management procedures
- ✓ Data discovery scan results confirming no SAD storage
Cross-framework overlap
This control requirement also appears in:
See this control in your personalized checklist
Start free →See your readiness in 5 minutes
Answer a few questions and get a personalized, actionable checklist, free, no card.
Get your free checklist →