Prime Factors Blog

Back to blogs

Complying with PCI DSS 4.0: Securing Cardholder Data in Storage, Transit, and Use and Enabling Crypto-Agility

by Juan Asenjo
July 14, 2025

The Payment Card Industry Data Security Standard (PCI DSS) 4.0 established new mandates that bring about significant changes to effectively address an evolving cybersecurity landscape.  These new mandates, through which cryptographic best practices became requirements at the end of March 2025, impact organizations that store, process, or transmit cardholder data including merchants, processors, issuers, acquirers, and service providers, and broaden the emphasis of data security beyond just protecting cardholder data at rest. The standard now mandates robust protection of data in transit and in use, along with new guidance on crypto-agility to adapt cryptographic methods as threats and standards evolve.

This blog outlines key PCI DSS 4.0 updates, what they mean for protecting Primary Account Numbers (PANs) and Sensitive Authentication Data (SAD), and how organizations can meet these requirements using modern data protection techniques.

The Evolution: From Storage-Only to Full Lifecycle Protection

Earlier versions of PCI DSS concentrated heavily on at rest protection, requiring encryption, strong access controls, and cryptographic key management to protect stored cardholder data. Requirement 3 under PCI DSS 3.2.1 emphasized file or disk encryption, truncation, and other techniques to limit exposure if systems were compromised. This focus made sense at the time, as stored data was a prime target.

Today’s attack vectors have expanded; modern applications, distributed architectures, and cloud infrastructure now enable sensitive cardholder data to move across complex environments. And attackers increasingly target data in transit and data in use, which are often more vulnerable than data at rest.

PCI DSS 4.0: A Holistic Approach to Cardholder Data Security

PCI DSS 4.0 expands data protection requirements across the entire data lifecycle. Here’s a breakdown of the new and updated expectations:

A. Protecting Data in Storage

  • Requirement 3.3.3: SAD must be encrypted using strong cryptography.
  • Requirement 3.5.1.1: All PANs must be hashed to render them unreadable.
  • Requirement 3.5.1.2: Disk encryption alone is no longer sufficient. Additional controls are required to secure stored data and to render it out of scope for PCI DSS.

B. Protecting Data in Transit

  • Requirement 4.2.1: Continues to mandate the use of strong cryptography and security protocols such as TLS 1.2 or higher for transmitting PANs over open, untrusted networks.
  • Organizations must assess and secure all data transmission points. Trusted keys and certificates used to protect PANs during transmission must be maintained.
  • It is now a requirement to ensure that certificates used to safeguard PANs during transmission over open, untrusted networks are valid and not expired or revoked.

C. Protecting Data in Use

  • An impactful addition to PCI DSS 4.0 is the acknowledgement that cardholder data remains vulnerable when actively being processed or displayed.
  • Requirement 3.4.1: While the standard does not explicitly require protecting data in use, it does so implicitly, requiring that the PAN be masked when displayed and that only personnel with legitimate business needs and permissions be allowed to see the displayed digits of the PAN.
  • Requirement 3.5.1: Further requires that the PAN must be protected when stored, processed, or transmitted.

D. Enabling Crypto-Agility

  • Requirement 12.3.3 introduces crypto-agility, the ability for the organization to quickly update, replace, or retire cryptographic algorithms to ensure effective response to evolving threats.
  • Crypto-agility addresses advancements in computing technology, as well as any security, regulatory, or business demand requiring a change in how data is protected.
  • An agile and flexible architecture is critical to stay secure and compliant, enabling organizations to swap out algorithms without rewriting applications.

To support this holistic approach, PCI DSS 4.0 recommends enterprises:

  • Create an inventory of cryptographic assets and map where and how data protection mechanisms are applied.
  • Enforce strong key lifecycle management including key rotation, revocation, and retirement.
  • Implement crypto-agile architectures that support easy updates to cryptography without significant changes to system infrastructure.

Meeting the Requirements: A Data-Centric Approach

By promoting a continuous risk-based approach to security, PCI DSS 4.0 encourages the use of controls that prevent unnecessary exposure of cardholder data unless there are legitimate business needs. Capabilities of this model include:

  • Application-level data protection: Encrypting or tokenizing data before it reaches the storage layer or during transit.
  • Format-preserving encryption (FPE): Protecting cardholder data while maintaining its original structure to enable secure processing.
  • Digital signing and hashing: Ensuring data integrity and authenticity.
  • Masking and redaction: Minimizing exposure of sensitive data in applications and interfaces.
  • Fine-grained access controls: Guaranteeing that only authorized applications and end users can access clear text data.

Adopting a data-centric security model enables organizations to reduce cardholder data exposure, facilitating compliance with new requirements.

Next Steps: Building a Future-Proof Strategy

To secure operations now and prepare for future threats, organizations can begin by mapping the complete cardholder data lifecycle across their systems – identifying where PANs and SAD are stored, transmitted, and used to uncover risk points and guide the selection of security mechanisms. To simplify implementation and maintain consistency, it’s important to abstract security functionality from the applications. With centralized policy management and localized execution, cryptographic functions can be quickly changed as needed.

PCI DSS 4.0 shifts from a perimeter and storage-focused model of security to a more holistic, data-centric approach. By emphasizing protection of data in motion and in use, and preparing organizations for cryptographic agility, the new standard pushes the industry toward a future where cardholder data is protected wherever it lives.

A Solution to Simplify Compliance with PCI-DSS 4.0 and Beyond

Implementing application-level data protection to meet PCI DSS 4.0 can be complex, but the complexity doesn’t end with an initial rollout. As PCI revises compliance requirements that, in turn, require changes to security measures and application architecture, enterprises must keep up. To avoid compounding costs and complexity, organizations should adopt crypto-agile architectures that not only provide robust, broad-spectrum security but also help to simplify changing security over time as PCI-DSS evolve. That’s exactly what EncryptRIGHT was built for.

EncryptRIGHT is a data security platform that delivers the broad security techniques needed to protect cardholder data in storage, in transit, and in use.  It is built on a crypto-agile architecture that abstracts data protection from applications creating, processing, and storing cardholder data. This enables enterprises to adapt seamlessly to evolving regulatory demands and future PCI DSS changes.  EncryptRIGHT reduces development costs, minimizes complexity, and simplifies updating security to comply with PCI 4.0 and beyond.

EncryptRIGHT delivers:

  • Strong data protection leveraging a variety of security techniques, including encryption, tokenization, data masking, hashing, and redaction to protect cardholder data everywhere.
  • Granular role-based access controls to ensure that only authorized users with the right permissions have access to the protected cardholder data.
  • Robust cryptographic key lifecycle management to ensure critical keys are always protected and available.
  • Extensive audit logging and reporting functionality that supports external SIEM integration for traceability and compliance.
  • Support for most common operating systems from Mainframe to Windows and the ability to deploy on-premises, in the cloud, and across hybrid environments to secure your data in whatever environment(s) works for your business.

EncryptRIGHT leverages a crypto-agile, policy-driven approach that allows for centralized control and distributed enforcement of security wherever data is used, moved, or stored.  Beyond just crypto-agility, which focuses on trading out algorithms, EncryptRIGHT delivers data-protection-agility, which means almost any facet of security (algorithms, security techniques, masks, keys, etc.) can be swapped out by making simple changes to a policy, without expensive rework. All the functionality of the platform deploys in a single code base that integrates in a few lines of code, without needing developers to be security experts.

EncryptRIGHT helps organizations that store, process, or transmit cardholder data to simplify their data security and comply with the new expanded data protection requirements dictated by PCI DSS 4.0:

  • Disk encryption alone is not sufficient – Requirement 3.3.3 and 3.5.1.
  • Protect PANs over open networks – Requirement 4.2.1.
  • Mask PANs when in use – Requirement 3.4.1 and 3.5.1.
  • Future-proof cryptographic strategy – Requirement 12.3.3.

To experience how EncryptRIGHT can help your organization achieve PCI DSS 4.0 compliance, request a free trial.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram