Home > Storage > ObjectScale and ECS > Product Documentation > ECS PCI DSS Compliance > Requirement 3: Protect stored cardholder data
Cardholder data is protected through the use of encryption, truncation, hashing, and masking. The goal of these requirements ensures that if unauthorized access to cardholder data takes place, the data is of no use and not readable without the proper cryptographic keys.
Requirement 3.1 specifies that the cardholder Primary Account Number (PAN) must be unreadable anywhere it is stored. The data is unreadable through the use of security processes, including the following:
ECS meets the requirements for storing cardholder data through Data-at-rest encryption (D@RE) which is simple, low-touch server-side encryption. It supports enterprises and service providers seeking to protect sensitive data on storage media.
As a part of Data at Rest Encryption (D@RE), ECS supports centralized external key managers. The centralized external key managers are compliant with the Key Management Interoperability Protocol (KMIP) which enhance the enterprise grade security in the system. For more information on D@RE and KMIP, refer to the ECS Administration Guide.
Note: ECS 3.6.1 supports FIPS 140-2 mode by default only for the D@RE module and it is Level 1 compliant using an AES 256-bit encryption algorithm. ECS uses RSA BSAFE Crypto-J JSAFE and JCE software module version 6.2.5 for data encryption that is based on the AES256 algorithm.
The other requirements in this section are enforced through policies, procedures, and processes external to the ECS cluster.