PCI DSS 3.5.1.3: Limit Disk Encryption to Removable Media
PCI DSS 3.5.1.3 requires encryption at the disk or partition level exclusively for removable electronic media—protecting sensitive data on devices that leave your physical control. This targeted encryption approach prevents unauthorized access to payment card data on USB drives, external hard drives, and portable storage devices without burdening fixed infrastructure.
What this means
This control mandates that disk-level or partition-level encryption be applied only to removable electronic media used in your payment card environment. The requirement distinguishes between removable storage (USB drives, SD cards, portable external drives) and fixed infrastructure, ensuring encryption resources focus on portable devices that carry elevated risk due to portability and potential loss or theft.
How to comply
- 1.Identify all removable media used in your cardholder data environment (USB drives, external hard drives, portable SSDs, SD cards, etc.)
- 2.Enable full disk or partition-level encryption on each removable device using AES-256 or equivalent algorithms
- 3.Configure encryption settings before any cardholder data is stored on removable media
- 4.Document encryption implementation details, including device inventory and encryption methods used
- 5.Restrict removable media use through technical controls and access policies
- 6.Test encryption functionality regularly to confirm data protection remains effective
- 7.Train personnel on proper handling and encryption protocols for removable media
Evidence auditors look for
- Device inventory listing all removable media with encryption status and algorithm specifications
- System configuration reports showing encryption enabled at disk/partition level
- Encryption key management documentation and storage procedures
- Screenshots of encrypted device properties or device management tool settings
- Access logs showing only authorized personnel can connect removable media
- Testing records demonstrating encryption remains functional and data is unreadable without decryption keys
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
See how GRCWatch handles this control automatically.
See how GRCWatch handles this control automatically
Start free trial