cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jimscard
Newcomer III

Re: PCI-DSS

What you describe is the best practice -- especially since PANs may never be stored in the clear -- they must always be rendered unreadable, and rendering them unreadable via a one-way cryptographic hash is one of the best ways for a system like this. Especially considering that since running a given PAN through the hash algorithm and then searching for entries in the register that match would satisfy most use cases, e.g., "provide a list of all transactions that the card with the PAN 4444 4444 4444 4444 was used in."

 

Keep in mind, though, that legal obligations, such as national or local laws do supercede PCI DSS requirements, even if they increase risk. It may be possible, however, to comply with both, e.g., by strongly encrypting the CHD in the register, decrypting it only as required to respond to legitimate requests as required by your law (check with your legal advisors).

Jim Scardelis, CISA, CISSP, PA-QSA(P2PE), PCI 3DS Assessor, PCI SSA, PCI SSLCA, PCIP, CIPP/US, CIPP/C, CIPP/E, CIPT, MCSE
Any views or opinions contained in this communication are solely those of the author.