Frequently Asked Question

Must payment applications ensure that hashed and truncated versions cannot be correlated?

Yes, a payment application designed to store both hashed and truncated PAN is required to have additional controls to prevent their correlation, as noted in PA-DSS Requirement 2.3.  This is to support PCI DSS Requirement 3.4 for entities using the payment application.

Refer to FAQ “How can an entity ensure that hashed and truncated versions cannot be correlated, as required in PCI DSS Requirement 3.4?” for further information.
November 2014
Article Number: 1309