ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company is migrating its PCI-DSS cardholder data environment to AWS. Primary Account Numbers (PANs) will be stored in an Amazon RDS for PostgreSQL database. To satisfy PCI-DSS Requirement 3, the PAN must be rendered unreadable at rest and the associated encryption keys must be protected and managed separately from the data. The security team also wants to minimize ongoing operational overhead. Which solution best meets these requirements?
Encrypt each PAN in the application with AES-256 using a hard-coded key embedded in the application code and store the ciphertext in the database.
Enable native Transparent Data Encryption (TDE) in Amazon RDS for PostgreSQL and store the TDE master key in an AWS KMS customer-managed key with automatic rotation.
Store only the first six and last four digits of each PAN in plaintext; no encryption is required if full PANs are not retained in the table.
Create the database with Amazon RDS encryption at rest enabled, using an AWS KMS customer-managed key that is administered by a separate security team.
PCI-DSS Requirement 3.4 mandates that stored PANs be unreadable using strong cryptography (minimum 128-bit security) and that key management be separate from the encrypted data. Enabling default Amazon RDS encryption with an AWS KMS customer-managed key (CMK) applies AES-256 encryption to the database storage and its automated backups, snapshots, and replicas. KMS stores and protects the CMK, offers fine-grained IAM controls that segregate key-management privileges from data access, and supports automatic annual rotation to simplify operations. PostgreSQL on Amazon RDS does not currently support native Transparent Data Encryption, so relying on TDE is not possible. Storing truncated PANs in plaintext fails to protect the full PAN, violating PCI-DSS. Embedding an encryption key in application code provides no separation of duties, breaches PCI-DSS key-management requirements, and creates operational risk. Therefore, enabling Amazon RDS encryption at rest with a KMS-managed CMK is the most appropriate and compliant choice with the least operational burden.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is PCI-DSS Requirement 3.4?
Open an interactive chat with Bash
What is AWS KMS and how does it manage encryption keys?
Open an interactive chat with Bash
Why can't Transparent Data Encryption (TDE) be used for Amazon RDS for PostgreSQL?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .