Primary Account Number (PAN) is the most important and essential part of cardholder data. The PAN data can be combined with other data to identify customers and their related bank account details and more impotantly to make transactions/payments. So, knowing how sensitive and critical this piece of data is the PCI Council in its PCI DSS requirements clearly outlines the requirement of not storing PAN data unless required. It further requires merchants to implement measures for the safe and secure handling of such data. In case the PAN Data is stored in the Cardholder data environment, then it should be protected as per the requirements outlined in PCI DSS.
If PAN data is stored with other elements of cardholder data, then the PAN data must be rendered unreadable as per PCI DSS Requirement 3.4. Explaining this in detail we have shared why should PAN data be rendered unreadable and how merchants can use different techniques to make the data unreadable.
Why should PAN data be rendered unreadable?
Storing customer’s cardholder data in the environment drastically increases the security risk for businesses. This also consequently increases the scope of compliance for the merchants storing such data in the environment. So, it is highly recommended for merchants to not store PAN data unless it is absolutely essential and the business has a legit commercial reason for the same.
If for any reason the PAN data is stored in the environment then in that case it should be rendered unreadable. This is essential from a security perspective. Rendering data unreadable will reduce the possibility of data theft and data breaches that could impact business. Having in place such measures is crucial not just from the security standpoint but also from the compliance perspective as well.
PCI DSS Requirement 3.4 requires vendors/merchants to ensure the PAN data is rendered unreadable. No matter where the data is stored, be it portable digital media, backup media, or logs, the PAN data should be secured and rendered in a way that cannot be readable and accessed by an unauthorized person.
This can be achieved using the techniques of one-way hashes based on strong cryptography, truncation, tokenization, and cryptography with associated key-management processes and procedures, etc. Describing each of the approaches in detail we have shared how these techniques can be used to secure data as per PCI DSS requirements.
Techniques of Rendering PAN Data unreadable
Masking is a technique whereby the sensitive data is masked with alternate characters, hash, or numbers to maintain the confidentiality of data when displayed or presented to an individual. It is a technique adopted to ensure the security and privacy of the data. This is one way the data can be rendered unreadable. As per the PCI DSS Requirement, 3.3 vendors must Mask PAN when displayed and only the first six and last four digits can be stored / processed / transmitted for a process / technology / application to be considered out of scope. We often see this technique used by shops and restaurants wherein when customers make card payments the receipt offered to them in return has the card number masked with digits replaced with “XXXX” rather than the actual digits. In this example, then we see that this shop/restaurant is not considered in scope of PCI DSS.
Similar to Masking, the technique of Truncation is the process of ensuring that the stored card data is rendered unreadable. But in this process, a segment of the card data is removed rather than masked with alternate characters. While it is similar to masking in a way that the first six and last four digits max would only be displayed, yet the rest of the digits will be permanently removed/deleted rather than just replacing it with hash, numbers, or characters.
So, this way only a fraction of the PAN gets stored with the vendor deleting the rest of the data permanently. So, using the technique of truncation the PAN data be unreadable and will no longer be considered as cardholder data. This is the most common practice adopted by vendors to render the PAN data unreadable and deal with growing credit card frauds in the industry. The technique of truncation provides maximum security to cardholder data and prevents the possibility of data theft or breach.
One way hashing is a proven technique of securing data through the process of cryptography using algorithms such as SHA2. This process involves converting the information into a unique string of data and since the process is irreversible it is known as a one-way hashing process.
This technique ensures confidentiality and integrity of the data as a modification to the original data will result in a different hash value. So, when it comes to the one-way hashing of PAN data, it is impossible for a hacker to recreate the original PAN data from the hashed version. Moreover, just like truncation one cannot retain, or reconstruct the data that is hashed or truncated in the cardholder environment. Nor can the data be correlated to obtain the original data.
Tokenization is a technique of replacing the original data with surrogate data known as the “token”. These tokens have no correlation to the original data and hence have no value to the hackers in case they access it. However, this technique is reversible and the original data can be retrieved but with only having access to additional relevant data that is often stored securely outside the cardholder environment.
This technique is often used when the stored data needs to be secured but also accessible or retrieved for subsequent transactions by vendors/merchants. So, basically with the tokenization technique the system replaces the original data with token but does not provide any way for the hacker to decipher the token and reveal the original data unless they have access to other relevant data.
Encryption is the process of converting readable data into ciphertext or random characters using encryption algorithms to replace the original data. The encryption algorithms provide confidentiality and ensure security with authentication through encryption keys. This way the data is secured and the hacker will find no value with access to encrypted data. However, with the encryption technique, the data can only be reversed and decrypted using the decryption keys. These decryption keys are difficult to access and only authenticated individuals have access to it. So, this way the probability of data theft or data breach is also low.
We are all aware of the fact that storing PAN data can be a huge threat not just to the business but also to the cardholders. But for businesses that have a legit reason for storing such sensitive data need to adopt the above techniques as precautionary measures to ensure that the cardholder data they store is safe and the cardholder environment remains PCI compliant.
For these reasons adopting one of the above techniques and rendering the cardholder data unreadable is essential. Moreover, to back this, businesses must also establish relevant policies and procedures concerning data retention and storage in the environment. This will also ensure and draw limitations on the storage and retention of data strictly based on a business necessity and other necessary legal or regulatory purposes.