PCI (Payment Card Industry Security Standard)_Req 3.4

PCI (Payment Card Industry Security Standard)

Protect stored cardholder data

Req 3.4

3.4 Render PAN unreadable anywhere it is stored (including on portable digital media backup media and in logs) by using any of the following approaches: – One-way hashes based on strong cryptography (hash must be of the entire PAN) – Truncation (hashing cannot be used to replace the truncated segment of PAN) – Index tokens and pads (pads must be securely stored) – Strong cryptography with associated key-management processes and procedures. Note: it is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.

PANs stored in primary storage (databases or flat files such as text files spreadsheets) as well as non-primary storage (backup audit logs exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended but not currently a requirement that an additional random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of precomputed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms Abbreviations and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or “homegrown” algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable.


Click here to Start your FREE trial today!

Explainer video


What is a Cybersecurity Compliance Framework?

You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.

With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.

The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:

Click here to Start your FREE trial today!

Explainer video