Frequently Asked Question
How can an entity ensure that hashed and truncated versions cannot be correlated, as required in PCI DSS Requirement 3.4?
The simplest approach for meeting this requirement is to not store hashed and truncated PAN. If, however, an entity wishes to store both hashed and truncated PAN, additional controls are needed to provide assurance that there is no single point where the two types of PAN formats could be captured for correlation. Examples of methods that may be able to meet the intent of this requirement include:
- Use of a unique, strong and secret input variable (e.g. salt) for each hash such that two hashes of the same PAN would have different values
- Use of separate storage systems, one for hashed and one for truncated PANs, that are isolated from each another using segmentation, separate access controls, etc.
- Configuring file/database systems to prevent the existence of any cross-references or links between a hash and a truncated PAN
- Use of real-time monitoring and dynamic response to detect and prevent requests to access correlating PAN values.