LinkedIn tracking pixel

§ 00·0x00/COMPLIANCE / PCI DSS 4

Disk encryption alone stopped counting on March 31, 2025.

PCI DSS 4 Requirement 3.5.1.2 is now mandatory. Disk-level encryption alone no longer covers stored account numbers. The standard requires strong cryptography at the data level.

CipherStash is the field-level path: queryable encryption on the Postgres you already run, with your existing queries intact.

§ 01·0x01/HOW CIPHERSTASH MAPS

From requirement to running code.

01

Render PAN unreadable at the field level.

Cardholder data is encrypted per value before it reaches your database. What lands on disk is ciphertext at the column level.

02

Keep your queries working.

Equality and range queries run over ciphertext using ordinary Postgres indexes. No application rewrite.

03

Restrict and log access.

Keys are derived per value, bound to identity, and never stored. Every decryption is logged.

04

Run it on your existing stack.

RDS, Supabase, Neon, or any managed Postgres. No new database, no vault, no migration.

§ 02·0x02/NEXT STEPS

Meet the requirement in 15 minutes.

Install the SDK, mark the cardholder fields in your schema, and run your existing queries. For your security review, see encryption at rest, in transit, and in use.