GRCWatch
Sign inStart free trial

PCI DSS 3.5.1.3: Limit Disk Encryption to Removable Media

PCI DSS 3.5.1.3 requires encryption at the disk or partition level exclusively for removable electronic media—protecting sensitive data on devices that leave your physical control. This targeted encryption approach prevents unauthorized access to payment card data on USB drives, external hard drives, and portable storage devices without burdening fixed infrastructure.

What this means

This control mandates that disk-level or partition-level encryption be applied only to removable electronic media used in your payment card environment. The requirement distinguishes between removable storage (USB drives, SD cards, portable external drives) and fixed infrastructure, ensuring encryption resources focus on portable devices that carry elevated risk due to portability and potential loss or theft.

How to comply

  1. 1.Identify all removable media used in your cardholder data environment (USB drives, external hard drives, portable SSDs, SD cards, etc.)
  2. 2.Enable full disk or partition-level encryption on each removable device using AES-256 or equivalent algorithms
  3. 3.Configure encryption settings before any cardholder data is stored on removable media
  4. 4.Document encryption implementation details, including device inventory and encryption methods used
  5. 5.Restrict removable media use through technical controls and access policies
  6. 6.Test encryption functionality regularly to confirm data protection remains effective
  7. 7.Train personnel on proper handling and encryption protocols for removable media

Evidence auditors look for

  • Device inventory listing all removable media with encryption status and algorithm specifications
  • System configuration reports showing encryption enabled at disk/partition level
  • Encryption key management documentation and storage procedures
  • Screenshots of encrypted device properties or device management tool settings
  • Access logs showing only authorized personnel can connect removable media
  • Testing records demonstrating encryption remains functional and data is unreadable without decryption keys

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

See how GRCWatch handles this control automatically.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 3.5.1.1 (Strong Cryptography Requirement)PCI DSS 3.5.1.2 (Encryption in Transit)PCI DSS 8.2.3 (User Authentication)PCI DSS 12.3 (Security Policy Documentation)