💼 3.5.1 PAN is rendered unreadable anywhere it is stored.

Description

Using any of the following approaches:

One-way hashes based on strong cryptography of the entire PAN.
Truncation (hashing cannot be used to replace the truncated segment of PAN).
- If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN.
Index tokens.
Strong cryptography with associated key-management processes and procedures.

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 PCI DSS v4.0 → 💼 3.5.1 PAN is rendered unreadable anywhere it is stored.	3		12		no data

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 PCI DSS v4.0 → 💼 3.5.1 PAN is rendered unreadable anywhere it is stored.	3		12		no data

Section	Policies	Compliance
💼 3.5.1.1 Hashes used to render PAN unreadable are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures.		no data
💼 3.5.1.2 If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable.	5	no data
💼 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.	12	no data

Policy	Logic Count	Flags	Compliance
🛡️ Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK)🟢	1	🟢 x6	no data
🛡️ Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK)🟢	1	🟢 x6	no data
🛡️ Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key🟢	1	🟢 x6	no data
🛡️ Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK)🟢	1	🟢 x6	no data
🛡️ Google GCE Instance Confidential Compute is not enabled🟢	1	🟢 x6	no data