FAQ #1084 Diff
For PCI DSS requirement 3.4.1 for disk encryption, what is the intent of requiring that logical access must be managed independently of native operating access control mechanisms?
Earlier Version
Later Version
Removed
Added
The intent of this requirement is to address the acceptability of disk encryption for rendering cardholder data unreadable. Disk encryption encrypts data stored on a computer’s mass storage and automatically decrypts the information when an authorized user requests it. Disk-encryption systems intercept operating system read and write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase at the beginning of a session. Based on these characteristics of disk encryption, to be compliant with this requirement, the disk-encryption method cannot:
1.
Use the same user account authenticator as the operating system, or
2.
Use a decryption key that is associated with or derived from the system’s local user account database or general network login credentials.
1.
Use the same user account authenticator as the operating system, or
2.
Use a decryption key that is associated with or derived from the system’s local user account database or general network login credentials.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.