For those of us involved in the PCI DSS compliance process -- particularly those on the merchant side of things -- encryption can be confusing. Encryption serves two roles as both a mandatory and a discretionary control; for some areas, the PCI DSS is explicit that merchants must use encryption (PAN data at rest, cardholder data on public networks, remote access, etc.), but there are also situations where merchants can choose to encrypt for their own benefit. Because of this dual role -- and because it's not a concept that everyone is inherently familiar with -- encryption has historically been a source of confusion and can seem daunting to learn.