Cardholder Data, sometimes known as CHD needs to be secured and protected on your network.   It is  mandatory in your compliance that you have a policy and procedure to protect cardholder data.  The PCI DSS requirement 3 is to protect stored cardholder data.

Sample Policy

Policy:  We employ risk mitigation practices whereby any stored cardholder data is protected through the use of protection methods that may include encryption, truncation, masking and hashing.

Additional protections implemented include processes and user training to ensure that unprotected cardholder data is not sent using end-user technologies such as e-mail and instant messaging.

Procedure: Use automated software and reporting to validate that all configurations of system components ensure that stored cardholder data is protected.

Training consideration:   Train users to ensure that unprotected cardholder data is not sent using e-mail, instant messaging, or any other end-user messaging technology.

 

Protecting Cardholder Data

Part of the protection is to implement a policy and procedure manual, and to understand what you need to do, and what not to do when storing sensitive data.  Contact Tier3MD for a full PCI compliance assessment.