From the very instant that a merchant receives a customer's credit card information, all of the card data must be encrypted. In a National Federation of Independent Business/Visa survey that was presented at Visa's March 2007 conference, small business owners said that they believe they are doing a good job of securing customer data, despite frequent evidence to the contrary. Among the respondents that said they retained their customers' data, more than 25% kept customer records in unsecured files, and 36% of those surveyed accepted credit card numbers at their stores.

One of the biggest problems with this requirement is that merchants must accurately know where credit card data flows from its inception, where it traverses the network and resides, and what its "state" is along the way. This is why it is critical to identify and examine all desktops, laptops, servers and databases that handle any type of cardholder information. This includes all of the database files and/or SQL tables that contain credit card numbers, not to mention all of the application systems that create or access credit card numbers. No matter what type of system touches the credit card information, it must be protected by encryption.

How to pass PCI requirement 3:

As mentioned above, start identifying all of the systems that touch cardholder data because these systems will be included in the scope of an eventual PCI DSS audit or compliance validation. It is also important to understand