Frequently Asked Question

Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?

No. The PCI DSS requirement for keyed cryptographic hashing is a new requirement for PCI DSS v4.0 and is a best practice until the new requirements become effective on 31 March 2025. After that date, all hashing processes used to render primary account numbers unreadable are required to meet the PCI DSS requirements for keyed cryptographic hashing.

For the definitions of “hashing” and “keyed cryptographic hashing” refer to the PCI DSS Glossary of Terms, Abbreviations, and Acronyms in PCI DSS v4.x, Appendix G.

See also FAQ 1089: Are hashed Primary Account Numbers (PAN) considered cardholder data that must be protected in accordance with PCI DSS?

September 2023
Article Number: 1573