💼 3.4 Render PAN unreadable anywhere it is stored.

• Contextual name: 💼 3.4 Render PAN unreadable anywhere it is stored.
• ID: /frameworks/pci-dss-v3.2.1/03/04
• Located in: 💼 3 Protect stored cardholder data

Description

Use any of the following approaches:

• One-way hashes based on strong cryptography, (hash must be of the entire PAN)
• Truncation (hashing cannot be used to replace the truncated segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management processes and procedures.

It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.

Similar

• Sections
  • /frameworks/pci-dss-v4.0/03/05/01
• Internal
  • ID: dec-c-913a1200

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 PCI DSS v4.0 → 💼 3.5.1 PAN is rendered unreadable anywhere it is stored.	3		7

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 PCI DSS v4.0 → 💼 3.5.1 PAN is rendered unreadable anywhere it is stored.	3		7

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.		7	7