FAQ #1089 Diff
Are hashed Primary Account Numbers (PAN) considered cardholder data that must be protected in accordance with PCI DSS?
Earlier Version
Later Version
Removed
Added
One-way hashing is a method that can be used to render PAN unreadable in storage. The hashing process and results, as well as the system(s) that perform the hashing, are in scope for a PCI DSS assessment to assure that the process meets applicable PCI DSS requirements.Ifrequirements.
If the hashing result is transferred and stored within a separate environment, the hashed PAN in that separate environment would no longer be considered cardholder data and would be out of scope for additional PCI DSS requirements. However, if the hashed PAN is stored on the same system or in the same environment that performed the hashing, that system or environment is considered to be storing cardholder data and remains within PCI DSSscope.PCIscope.
PCI DSS requires that hashing be of the entire PAN and be based on strong cryptography. This means that collisions would not occur frequently, and the hash cannot be recovered or easily determined during an attack.For PCI DSS v3.2.1, it is recommended, butAdditionally, PCI DSS v4.x includes Requirement 3.5.1.1 to use keyed cryptographic hashing for hashes used to render PAN unreadable.
Since hashing is used when there is no need to recover the PAN, a recommended practice is to remove the PAN rather than allowing the possibility of a compromise cracking the hash and revealing the original PAN. If the entity intends to recover and use the PAN, then hashing is notrequired, that an input variable, or salt, be used. Additionally, PCI DSS v4.0 introduces a new requirementoption and an alternative method for processes that hash PAN to use keyed cryptographic hashing. This new requirement is a best practice in PCI DSS v4.0 until 31 March 2025.Since hashing is used when there is no need to recover the PAN, a recommended practice is to remove the PAN rather than allowing the possibility of a compromise cracking the hash and revealing the original PAN. If the entity intends to recover and use the PAN, then hashing is not an option and an alternative method for rendering the PAN unreadable should be considered.
If the hashing result is transferred and stored within a separate environment, the hashed PAN in that separate environment would no longer be considered cardholder data and would be out of scope for additional PCI DSS requirements. However, if the hashed PAN is stored on the same system or in the same environment that performed the hashing, that system or environment is considered to be storing cardholder data and remains within PCI DSS
PCI DSS requires that hashing be of the entire PAN and be based on strong cryptography. This means that collisions would not occur frequently, and the hash cannot be recovered or easily determined during an attack.
Since hashing is used when there is no need to recover the PAN, a recommended practice is to remove the PAN rather than allowing the possibility of a compromise cracking the hash and revealing the original PAN. If the entity intends to recover and use the PAN, then hashing is not
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.