Frequently Asked Questions

< Back to search page

Should cardholder data be encrypted while in memory?

FAQ Response

If the cardholder data is stored in non-persistent memory (e.g. RAM), encryption of cardholder data is not required. However, proper controls must be in place to ensure that memory maintains a non-persistent state. For example, if the memory is being written to a file, then appropriate PCI DSS requirements are applicable to that file. Where appropriate, this data should be securely purged as soon as possible - for example, from swap files and temporary folders. PCI SSC recommends engaging a Qualified Security Assessor (QSA) for guidance as to whether a specific implementation will satisfy this requirement. Please see the list of QSAs at www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf

February 2008
Article Number 1042