For PCI DSS requirement 3.4.1 for disk encryption, what is the intent of requiring that logical access must be managed independently of native operating access control mechanisms?
The intent of this requirement is to address the acceptability of disk encryption for rendering cardholder data unreadable. Disk encryption encrypts data stored on a computer’s mass storage and automatically decrypts the information when an authorized user requests it. Disk-encryption systems intercept operating system read and write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase at the beginning of a session. Based on these characteristics of disk encryption, to be compliant with this requirement, the disk-encryption method cannot have:
- A direct association with the operating system, or
- Decryption keys associated with user accounts.