πΌ 3.4 Render PAN unreadable anywhere it is stored.
- Contextual name: πΌ 3.4 Render PAN unreadable anywhere it is stored.
- ID:
/frameworks/pci-dss-v3.2.1/03/04 - Located in: πΌ 3 Protect stored cardholder data
Descriptionβ
Use any of the following approaches:
- One-way hashes based on strong cryptography, (hash must be of the entire PAN)
- Truncation (hashing cannot be used to replace the truncated segment of PAN)
- Index tokens and pads (pads must be securely stored)
- Strong cryptography with associated key-management processes and procedures.
It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Similarβ
- Sections
/frameworks/pci-dss-v4.0/03/05/01
- Internal
- ID:
dec-c-913a1200
- ID:
Similar Sections (Take Policies From)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ PCI DSS v4.0 β πΌ 3.5.1 PAN is rendered unreadable anywhere it is stored. | 3 | 12 |
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ PCI DSS v4.0 β πΌ 3.5.1 PAN is rendered unreadable anywhere it is stored. | 3 | 12 |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms. | 7 | 12 |
Policies (5)β
| Policy | Logic Count | Flags |
|---|---|---|
| π Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK) π’ | 1 | π’ x6 |
| π Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK) π’ | 1 | π’ x6 |
| π Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key π’ | 1 | π’ x6 |
| π Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK) π’ | 1 | π’ x6 |
| π Google GCE Instance Confidential Compute is not enabled π’ | 1 | π’ x6 |