Disk Level Encryption: The 3.2.1 Magic Bullet has been Left Behind

By Paul Gregoire on November, 1 2023

Get latest articles directly in your inbox, stay up to date

Back to main Blog
Paul Gregoire

Prepare for a transformative shift in cardholder data security with PCI DSS v4.0. With native disk encryption no longer a shield, organizations worldwide must swiftly adapt, revisiting encryption strategies for data at rest. Find out what this means for your business.

In the ever-evolving landscape of data security and compliance, change is the only constant. For over a decade, merchants worldwide found solace in the cloak of disk encryption, a magic bullet of sorts, allowing them to sidestep the intricate dance of cardholder data encryption. But as the calendar inches closer to March 2025, the release date of PCI DSS v4.0, a pivotal transformation awaits. You might be thinking, "2025 is a while off," but here's why you should start your preparations now. It's time to steer into a refreshing era for cardholder data at rest, and we'll delve into the winds of change blowing through the realm of data security.

It's time to roll up your sleeves and get to work, ensuring cardholder data's true protection to meet v4.0 compliance.

Merchants around the world have been using disk encryption to sidestep encrypting cardholder data for at least a decade or longer. Well, that magic bullet has been removed from the chamber in PCI DSS v4.0.

This March 2025 postdated requirement is going to cause a stir among many organizations. And while that may seem like a long way out, here’s why you will want to start now.

Refreshing news for cardholder data at rest.

The days of using native NAS or SAN encryption must be addressed if it is the only method of encrypting cardholder data. Finally, there has been explicit clarification to ensure that if cardholder data is stored within a data centre or cloud storage system that is natively encrypted, the data on that storage system, ie: PAN, must also be rendered unrecoverable via another mechanism specified in requirement 3.5.1.

However, there is a small consolation for removable media such as backup tapes, USB keys, etc.

Native strong encryption with the use of these technologies is still allowed if you follow all key management and encryption requirements throughout requirement 3.


So, what does this mean?

All organizations that used this magic bullet, (you know who you are), will need to figure out a way to protect cardholder data that are on these encrypted storage systems in another way. One-way hashing, tokenization, truncation, column/file-level encryption, or regular encryption will now need to be addressed, and fast!

With only a year and a half(ish) left until it becomes a requirement, there is no time to stop and smell the roses as you will need to redesign and implement technology and processes to meet this new requirement. 

This will not be for the faint of heart as organizations will need to:

  • Update hardware and software
  • Develop new code
  • Implement new enterprise-level databases that include column-level encryption capabilities
  • And more


Let’s get to work!

After a decade of skirting the true spirit of safeguarding cardholder data by only using native data storage encryption, the party is over and the music has stopped, so let’s get to work and truly protect cardholder data at rest.


For additional insight and guidance from Online’s QSA team, explore more valuable content in our digital PCI DSS v4.0 Resource Center. We are adding insights regularly with valuable 'in the trenches' tips for success. Or, if you have questions – no matter how big or small – one of our experienced QSAs would be happy to provide guidance and share knowledge.

Send us an email to connect@obsglobal.com




Submit a Comment

Get latest articles directly in your inbox, stay up to date