122
InformatIon SecurIty PolIcy DeveloPment for comPlIance
3.4 Render PAN unreadable anywhere it is stored (including on
por
table digital media, backup media, and in logs) by using any of the
following approaches:
•
One-w
ay hashes based on strong cryptography (hash must be
of the entire PAN)
•
Tru
ncation (hashing cannot be used to replace the truncated
segment of PAN)
•
Ind
ex tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management pro-
cesses and procedures
Note: It is a relatively trivial eort for a malicious individual to
reconstruct original PAN data if he or she has access to both
the truncated and hashed versions of a PAN. Where hashed
and truncated versions of the same PAN are present ...