PCI Watch

Tracking changes in the Payment Card Industry
FAQs » FAQ #1308 » Versions » Diff

Diff: FAQ #1308

How can an entity ensure that hashed and truncated versions cannot be correlated, as required in PCI DSS Requirement 3.4?

Earlier Version
2014-11-20 00:00:00 UTC
Later Version
2025-06-11 14:58:15 UTC
Removed
Added
In order to meet PCI DSS Requirement 3.4, entities with both5.1 states that if hashed and truncated versions of a PAN in their environment are also required to implement additional controls to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
The simplest approach for meeting this requirement is to not store hashed and truncated PAN. If, however, an entity wishes to store both hashed and truncatedthe same PAN, additional controls are needed to proor different truncation formats, are present in the envide assurance that there is no single point where the two types ofronment, additional controls must be implemented to prevent correlation.

The simplest solution is not to store both hashed and truncated PAN formats coulds. If be captured for correlationoth must be retained, the following controls can help:

Use of strong, unique, secret salts for hashing
Separate storage systems for hashed and truncated values, isolated with segmentation, and distinct access controls
Preventing cross-references or database links between values
Real-time monitoring to detect correlation attempts

These are examples only. Examples of methods that mayControls should be suitable to meet the intent of this requirement include:
- Use of a unique, strong and secret input for the envariable (e.g. salt) for each hash such that two hashes of the sameironment and ensure that full PAN reconstruction is not possible.

As per the guidance listed in PCI DSS implementing keyed cryptographic hashes would haith associated key management processes and procedures in accordance with Requirement 3.5.1.1 is a ve different alid additional control to prevalues
- Use of separate storage systems, one for hashed and one for truncated PANs, that are isolated from each another using segmentation, separate access controls, etcent correlation.
- Configuring file/database systems to prevent the existence of any cross-references or links between a hash and a truncated PAN
- Use of real-time monitoring and dynamic response to detect and prevent requests to access correlating PAN values.

These examples are provided as suggestions; entities are not limited to only the above methods. Whichever methods are used, they should prevent unauthorized persons being able to correlate a hashed PAN to a truncated PAN, and be appropriate for the entity?s environment.