By Viviana Wesley – PCI QSA, ISO 27001 Auditor, CISM and Jason Maiden – CISSP, PCI-QSA, PMP, ISO Lead Auditor

Encryption is a tool for protecting data. Many organizations already use it in some capacity such as full-disk encryption, encrypted backups, or secure communication protocols. In regards to securing Primary Account Numbers (PANs) under PCI DSS 4.0.1, not all encryption methods are appropriate.

The real question isn’t if you’re encrypting — it’s whether your encryption is strong enough and used in the right way to meet today’s compliance requirements. Simply encrypting a drive or using legacy controls may no longer be sufficient. PCI DSS 4.0.1 now calls for granular, risk-aligned encryption techniques that better protect sensitive payment data during normal system operation.

 

What PCI DSS 4.0.1 Requires

PCI DSS Requirement 3.5.1 outlines the encryption expectations for securing the storage of PAN data. If disk-level or partition-level encryption is used to protect PAN, it must be implemented only:

  • On removable electronic media, or
  • On non-removable media, in combination with another mechanism that satisfies Requirement 3.5.1 (e.g., file, column, or field-level encryption)

What this means is that encrypting an entire drive or partition is not enough on its own for systems storing PAN on non-removable media like laptops or servers. Instead, granular encryption — such as file- or application-layer encryption — must also be used to protect PAN at rest and ensure it’s only accessible when truly necessary.

 

Why is Disk Level Not Enough?

Many organizations such as those managing Windows devices, rely on disk encryption tools like BitLocker, often deployed through Microsoft Intune or other mobile device management (MDM) platforms. While these tools are excellent for protecting data if a device is lost or stolen, are not adequate when it comes to PCI DSS requirements.

Disk-level encryption secures data at the storage level, but once a system is powered on and the user is authenticated, everything on the disk — including PAN — becomes accessible. That means if someone gains access to an active session (through malware, remote access, or a forgotten login), they could view sensitive data without needing to bypass encryption.

PCI DSS 4.0.1 emphasizes that PAN must only be decrypted when there is a valid business need. With full-disk encryption alone, PAN may be exposed simply because the device is on and unlocked — which doesn’t meet the intent of the requirement.

 

What Encryption Solutions Should You Use

What you should be using instead (or in addition) to properly protect PAN and meet PCI DSS 4.0.1, organizations must implement layered encryption techniques that go beyond the disk level:

  • File-Level Encryption Encrypts specific files containing PAN. Authorized applications or users can decrypt and access the contents only.
  • Column or Field Level Encryption Encrypts database fields or columns that store PAN, keeping sensitive data hidden even if the database is compromised.
  • Application-Layer Encryption Encrypts and decrypts data at the application level, before it reaches the file system or storage layer for stronger control over data access.

These methods keep PAN protected even on running systems. That decryption is limited to specific use cases and authorized users, in alignment with PCI DSS expectations.

 

Can You Still Use Disk Encryption?

Absolutely. Disk encryption (like BitLocker) is still essential for protecting data on lost or stolen devices — especially laptops and portable media. But when it comes to protecting PAN within your cardholder data environment (CDE), it must be paired with stronger, more granular encryption methods on non-removable media.

 

Use Strong, Approved Alogrithms

Regardless of which encryption layers you implement, they must rely on strong encryption standards. PCI DSS requires the use of industry-recognized, secure algorithms — such as AES-256 — and proper key management procedures.

 

How to Know If You’re Covered

If you’re unsure whether your current encryption setup meets PCI DSS 4.0.1, take a closer look. Misaligned encryption controls could leave gaps that put cardholder data and compliance at risk.

 

HALOCK’s QSAs can help you evaluate your current encryption practices and recommend enhancements that match your environment, business needs, and regulatory responsibilities. Encryption is only as strong as the way it’s implemented.

 

READ MORE PCI DSS References and Articles