{"id":1761,"date":"2021-09-17T15:44:06","date_gmt":"2021-09-17T15:44:06","guid":{"rendered":"https:\/\/www.pcidssguide.com\/?p=1761"},"modified":"2023-10-09T18:44:24","modified_gmt":"2023-10-09T18:44:24","slug":"what-are-the-acceptable-formats-for-truncation-of-pan","status":"publish","type":"post","link":"https:\/\/pcidssguide.com\/what-are-the-acceptable-formats-for-truncation-of-pan\/","title":{"rendered":"What are the Acceptable Formats for Truncation of PAN"},"content":{"rendered":"\n\n\n\n\n

Truncated PAN must be protected according to PCI DSS requirements. Instructions for truncating the PAN are described in PCI DSS, specifically PCI DSS requirement 3.4.<\/p>\n\n\n\n

PCI DSS requirement 3.4 specifies that the PAN must be made unreadable wherever it is stored. In addition, PCI DSS sets out acceptable methods that can be used to meet this requirement. Truncating the entire PAN includes strong one-way hash functions, index tokens with securely stored pads, or strong encryption.<\/p>\n\n\n\n

A security compromise of cardholder account data could occur if the PAN is not truncated correctly. It’s critical to understand the requirements for PAN truncation if your company works with digital payments, stores PAN, or creates payment systems that store PAN.<\/p>\n\n\n\n

See Also: PCI Requirements For Storing Credit Card Information<\/strong><\/a><\/p>\n\n\n\n

Truncating can be defined as the act of shortening something and is an acceptable method of making it unreadable if you are storing cardholder data.<\/p>\n\n\n\n

It’s worth noting that truncation is a permanent operation instead of PCI DSS requirement 3.3, which mandates masking the PAN while it’s presented. Although truncation means making the PAN unreadable when stored, PCI DSS requirement 3.3<\/a> mentions the temporary masking of data when card data is displayed on paper receipts or screens.<\/p>\n\n\n\n

According to the PCI Council, there are multiple truncation methods acceptable, which we will discuss in detail below.<\/p>\n\n\n\n

What are the acceptable formats for truncating primary account numbers (PANs)?<\/strong><\/h2>\n\n\n\n

PAN and other cardholder data should only be stored if they are required for legal, business, or regulatory reasons. Eliminating cardholder data storage is an easy way to avoid dealing with PCI DSS requirement three and reduce the overall scope of a PCI DSS audit.<\/p>\n\n\n\n

See Also: How do I Protect the Stored Payment Cardholder Data?<\/strong><\/a><\/p>\n\n\n\n

The PCI DSS expressly warns against masking truncated PAN with a hybrid version of complete PAN. If attackers have access to both the shortened and mixed versions of the complete PAN, reconfiguring the entire PAN can be simple.<\/p>\n\n\n\n

PAN is available in either form; you must implement additional security controls to ensure that data is not regenerated. This also applies if there are multiple trimmed versions of PAN stored on the same media.<\/p>\n\n\n\n

The truncated PAN can replace data with an “x” or “0” in place of the truncated middle digits. More importantly, the hash cannot be used to replace the truncated segment of the PAN. The advantage is that if the transaction is stopped, the encrypted card data is unreadable. Except for the processor who has the decryption key, the data has no meaning.<\/p>\n\n\n\n

The industry practice is to eliminate the middle six digits, but the standards for each major card brand range slightly. Organizations seeking flexibility in this area should review the individual requirements for each card brand.<\/p>\n\n\n\n

PCI DSS-acceptable truncation formats vary with PAN length and Payment Brand requirements.<\/p>\n\n\n\n