Data protection is the practice of protecting sensitive data from compromise or access by unintended parties, protecting against loss, and ensuring the integrity of the data. There are three data states to consider:

1. DIM(Data in Motion) is data in transit to a business process.
HTTPS, at least TLS, 1.2 is required (PCI Req 4.1g).

2. DAR (Data at Rest) is data that has been persisted to some storage solution. The following is required:

• Track 1/Track 2/Magstripe Data: Don’t store full contents of any track (Req 3.2.1).
• CVV: Don’t store CVV past initial authorization, this includes making sure CVV is not inadvertently in logs, trace files, or any system databases (Req 3.2.2.).
• Controls for Secured Cardholder Data: Secure cardholder data with at least one of the following controls (See Req 3.4):
       A. One-way hashes based on strong cryptography
       B. Truncation
       C. Index tokens and pads, with the pads being securely stored
       D. Strong cryptography, with associated key-management processes        DIU (Data in Use) is data that is retrieved for display to a consumer.
  [The requirement is that only personnel with legitimate business need can see more than the first six/last four (we strongly suggest only sharing last 4) digits of the Cardholder number (PAN). Req 3.3]