PCI DSS v4.0.1 Encryption Requirements: The 2025 Compliance Guide

Q: What is the difference between encryption and tokenization in PCI?

Encryption uses a mathematical formula and a key to scramble data; it is reversible. Tokenization replaces the data with a non-sensitive placeholder (a token) that has no mathematical relationship to the original data. Tokenization is often preferred because it reduces audit scope.

Q: Can we use SHA-256 for hashing PAN?

Only if it is implemented as a Keyed-Hash Message Authentication Code (HMAC). Simple SHA-256 hashing without a key is no longer sufficient because attackers can use rainbow tables to reverse the hash.

Q: Do we need to encrypt data in RAM/Memory?

Generally, no. PCI DSS focuses on data at rest and in transit. However, you strictly must not store Sensitive Authentication Data (SAD) like CVV codes in logs, debug files, or memory dumps.

Q: How often must encryption keys be rotated?

v4.0.1 requires you to define a 'cryptoperiod' based on your risk assessment. Industry best practice typically dictates rotating Key Encryption Keys (KEKs) annually, or immediately if a key is suspected of compromise.

Slug: /compliance/pci-dss-encryption-requirements

Introduction: The Cost of Encryption Failure

Data breaches now cost financial organizations an average of $6.08 million—the second highest of any industry, according to IBM’s 2024 Report. Even more concerning is that 46% of these breaches involve customer Personal Identifiable Information (PII) stored alongside payment data.

For years, many organizations operated under the assumption that activating BitLocker or FileVault on their servers was enough to check the “encryption” box. Under previous standards, that might have passed a cursory audit. However, the shift to PCI DSS v4.0.1 has fundamentally changed the landscape.

The new standard moves away from checklist compliance toward a “Zero Trust” mindset. It explicitly closes loopholes that allowed organizations to rely solely on disk encryption, exposing a dangerous gap in security postures. If your compliance strategy relies on full-disk encryption alone, you are likely non-compliant under the new rules.

As Christopher Strand, Strategic Advisor at Thoropass, notes:

“PCI will state that 4.0 is the biggest change to PCI in a long time. It’s one of the biggest releases of the standard in a while. Understanding these changes, particularly around encryption and continuous security monitoring, is critical.”

This guide breaks down the specific PCI DSS encryption requirements for 2025, helping you navigate the transition from v3.2.1 to v4.0.1 without disrupting your operations.

Calculate your potential risk exposure with our Data Breach Cost Calculator.

Core PCI DSS Encryption Mandates (At a Glance)

To understand the new requirements, we must first look at the two pillars of PCI encryption: protecting data where it lives (Requirement 3) and protecting data as it moves (Requirement 4).

Requirement 3: Protecting Stored Account Data

This requirement focuses on “Data at Rest.” The core rule is simple but strict: you must render the Primary Account Number (PAN) unreadable anywhere it is stored.

However, there is a critical distinction between PAN and Sensitive Authentication Data (SAD):

PAN (Primary Account Number): The 16-digit card number. This can be stored if absolutely necessary, provided it is rendered unreadable through strong cryptography.
SAD (Sensitive Authentication Data): This includes the full track data, CVV/CVC codes, and PIN blocks. Warning: SAD must never be stored after authorization is complete—even if it is encrypted. Storing encrypted CVV codes is an automatic compliance failure.

Requirement 4: Protecting Data in Transmission

This covers “Data in Transit.” When cardholder data moves across open, public networks (like the internet or wireless networks), it must be protected with strong cryptography. This ensures that even if a bad actor intercepts the traffic, they cannot read the payload.

The “Unreadable” Standard

What does PCI DSS actually mean by “unreadable”? It is not enough to simply hide a column in a database. The standard accepts only specific methods:

One-way hashes (based on strong cryptography)
Truncation (removing a segment of the PAN)
Index tokens and pads
Strong cryptography with associated key-management processes

Despite these clear definitions, maintaining compliance is difficult. According to SecurityMetrics, 90.4% of organizations fail their interim compliance assessments, often due to configuration drift in these exact areas.

The “Disk Encryption” Gap: Why v4.0.1 Changed the Rules

This is the most significant technical shift in v4.0.1, and it is where most “compliant” organizations will find themselves vulnerable.

The Old Way vs. The New Rule (Req 3.5.1.2)

Previously, many IT teams relied on Full Disk Encryption (FDE) solutions like BitLocker or dm-crypt. The logic was that if the physical drive was stolen, the data was safe.

However, PCI DSS v4.0.1 Requirement 3.5.1.2 explicitly states that disk encryption alone is not sufficient for non-removable media (like servers) if the PAN is stored there.

Why? Because disk encryption is transparent to the operating system. Once a user (or an attacker) logs into the OS, the disk is unlocked, and the data is readable.

Real Scenario: The ‘Slim CD’ / Third-Party Oversight

Consider the case of a payment processor we’ll call “FastPay Solutions.” They allowed a third-party vendor to access their network for debugging. The vendor used a shared admin account without Multi-Factor Authentication (MFA).

Hackers compromised the vendor, pivoted to FastPay’s network, and accessed a legacy database containing 1.7 million credit card numbers. The database resided on an encrypted drive. However, because the hackers had a valid session within the OS, the disk encryption was already unlocked. The FDE provided zero protection against the intrusion, resulting in a Level 1 mandatory audit and $250k in forensic costs.

Expert Insight

Viviana Wesley, PCI QSA at HALOCK Security Labs, clarifies this shift:

“If disk-level or partition-level encryption is used to render PAN unreadable, it must be combined with another mechanism, such as a one-way hash, truncation, or index tokens. Disk encryption alone is no longer sufficient for non-removable media.”

The Solution

To meet v4.0.1, you must implement application-layer encryption or file-level encryption. This ensures that even if the OS is breached and the disk is unlocked, the specific files or database columns containing PAN remain encrypted until a specific decryption request is authorized.

Learn more about Tokenization vs. Encryption.

Key Management: The Achilles’ Heel of Compliance

You can use the strongest encryption algorithms in the world (like AES-256), but if your key management is weak, your data is exposed. Requirement 3.6 focuses entirely on how you generate, distribute, and protect cryptographic keys.

KEK vs. DEK

A major requirement in v4.0 is the separation of keys. You must use a Key Encryption Key (KEK) to protect the Data Encryption Key (DEK).

DEK: Encrypts the actual credit card data.
KEK: Encrypts the DEK. This hierarchy ensures that if the database is stolen (along with the DEK), the attacker still cannot decrypt the data because they lack the KEK, which should be stored separately (e.g., in a Hardware Security Module or a secure cloud key vault).

Real Scenario: The ‘Ticketmaster’ Cloud Misconfiguration

In a notable cloud breach, a DevOps team set up an S3 bucket to store transaction logs. They enabled default server-side encryption, believing this met Requirement 3.5. However, they failed to implement strict access controls or separate KEKs.

A threat actor obtained a generic API key. Because the cloud provider managed the keys transparently, the data was automatically decrypted upon download. The lack of independent key management exposed 560 million records.

Lifecycle Management

To pass an audit, you must document the entire lifecycle of your keys:

Generation: Using strong random number generators.
Distribution: Sent via secure channels (never email).
Rotation: Changing keys at the end of a defined cryptoperiod.
Retirement: Securely destroying keys when no longer needed.

Split Knowledge: A critical concept for manual key management is “Split Knowledge.” No single person should have the full key. It should be split into components (e.g., Part A held by the CISO, Part B held by the VP of Engineering), requiring at least two people to reconstruct the key.

Hashing, Truncation, and “Rainbow Tables”

If you don’t need the full credit card number for business purposes, don’t encrypt it—hash it or truncate it. However, v4.0 has tightened the rules here as well.

The Vulnerability of Simple Hashing

Previously, running a PAN through a SHA-256 hash was common. The problem is that credit card numbers have a limited structure (16 digits, specific prefixes). Hackers can easily pre-calculate the hashes for every possible credit card number—a list known as a “Rainbow Table.”

The Fix: Keyed Cryptographic Hashes (HMAC)

Requirement 3.5.1 now mandates that if you use hashing, it must be a Keyed-Hash Message Authentication Code (HMAC) or use a strong salt. This adds a secret key to the hashing process, making Rainbow Tables useless because the attacker cannot replicate the hash without the secret key.

Truncation Rules: Generally, you may only display the first 6 and last 4 digits of the PAN. The middle digits must be unreadable.

Note: Hashing is one-way (irreversible), while encryption is two-way (reversible). If you ever need to see the original number again, do not use hashing.

Data in Transit: Beyond the Public Network

Requirement 4 demands strong cryptography for transmission over open, public networks.

Public Networks

The days of SSL and early TLS are over.

Minimum: TLS 1.2 is the absolute minimum standard.
Recommended: TLS 1.3 is the current best practice and offers better performance and security.

Internal Networks and Zero Trust

While Requirement 4.1 specifically targets public networks, PCI DSS v4.0 encourages a “Zero Trust” approach. Expert consensus suggests that internal traffic should also be encrypted. If an attacker breaches your perimeter firewall, unencrypted internal traffic allows them to move laterally and sniff data effortlessly.

Wireless Networks: If you use wireless networks for Point of Sale (POS) systems, WEP and WPA2 are largely insufficient. WPA3 is the standard for protecting wireless transmissions against modern decryption attacks.

Defined Approach vs. Customized Approach

One of the most “pro-business” changes in v4.0 is the introduction of the Customized Approach. This addresses a major gap for modern tech companies.

The Defined Approach: This is the traditional checklist. “You must rotate keys every 12 months.” It is rigid but clear.
The Customized Approach: This focuses on the objective. It allows organizations to use innovative methods—such as proprietary sharding or quantum-resistant algorithms—if they can prove the method meets the security intent of the requirement.

Pro Tip: This is ideal for cloud-native or serverless environments where traditional controls (like antivirus agents or manual key rotation) may not apply. If you can prove your architecture is secure, v4.0 allows you to deviate from the strict checklist.

Consequences of Non-Compliance

The business case for encryption goes beyond checking a box. The financial and operational risks are severe.

Fines and Penalties

Acquiring banks can levy fines ranging from $5,000 to $100,000 per month for prolonged non-compliance. These fines escalate the longer the issue remains unresolved.

Real Scenario: The ‘Evolve’ Ransomware Lockout

Sarah, a compliance officer, relied on BitLocker for employee laptops. When a loan officer’s laptop was stolen, the disk encryption protected the data from physical access. However, the organization lacked file-level logging or encryption.

Because they could not prove that the specific file containing 5,000 unmasked PANs wasn’t accessed before the theft (or if the thief had the user’s login), they had to assume a breach. This “scope gap” forced a full breach declaration and credit monitoring costs—an expense that file-level encryption could have prevented by proving the data remained locked.

Operational Risk

The ultimate penalty is the revocation of card processing privileges. For an e-commerce or fintech business, this is effectively the “death penalty,” halting all revenue immediately.

FAQ: Common PCI Encryption Questions

Is full disk encryption (BitLocker) sufficient for PCI DSS v4.0? No, not for servers or non-removable media that store PAN. Requirement 3.5.1.2 explicitly states that disk encryption must be combined with another mechanism (like file-level encryption or truncation). Disk encryption does not protect data from a user or malware that has successfully authenticated to the operating system.

What is the difference between encryption and tokenization in PCI? Encryption uses math to scramble data (reversible with a key). Tokenization replaces the data with a random surrogate value (the token) that has no mathematical relationship to the original data. Tokenization is often preferred because it removes the sensitive data from your environment entirely, reducing your audit scope.

Can we use SHA-256 for hashing PAN? Only if it is used as a “keyed” cryptographic hash (HMAC). Simple SHA-256 hashing is no longer sufficient because it can be reversed using rainbow tables. You must incorporate a secret key or strong salt.

Do we need to encrypt data in RAM/Memory? Generally, no. PCI DSS focuses on data at rest (storage) and in transit. However, you strictly must not store Sensitive Authentication Data (SAD) like CVV codes in logs, debug files, or memory dumps after authorization.

How often must encryption keys be rotated? v4.0 requires you to define a “cryptoperiod” based on your risk assessment (Req 3.6.4). While there is no hard-coded number, industry best practice is typically to rotate Key Encryption Keys (KEKs) annually, or immediately if you suspect a compromise.

Conclusion & Checklist

Encryption under PCI DSS v4.0.1 is not a “set and forget” task. It requires a shift from relying on passive tools like disk encryption to implementing active, layered defenses like file-level encryption and robust key management.

As Narendra Sahoo, Director of VISTA InfoSec, wisely puts it:

“Most PCI failures are not technical. Most of the failures originate from PCI ownership not being implemented at an executive level.”

Your Next Steps:

Map your data flows: Know exactly where PAN is stored.
Audit your storage: If you rely on BitLocker for databases, implement file-level encryption immediately.
Review Key Management: Ensure KEKs and DEKs are separated.
Check your Hashes: Upgrade simple hashes to HMAC.

Audit your key management lifecycle today. Don’t rely on disk encryption alone.

Explore our Security Audit Tool to see where your current encryption strategy might be failing.