Benchmark: Requirement 3: Protect stored cardholder data
Description
Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Requirement 3: Protect stored cardholder data.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_3Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_3 --shareBenchmarks
- 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes
- 3.2 Do not store sensitive authentication data after authorization (even if encrypted)
- 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using approaches like one-way hashes based on strong cryptography, truncation etc
- 3.5 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse
- 3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data