{"id":1761,"date":"2021-09-17T15:44:06","date_gmt":"2021-09-17T15:44:06","guid":{"rendered":"https:\/\/www.pcidssguide.com\/?p=1761"},"modified":"2023-10-09T18:44:24","modified_gmt":"2023-10-09T18:44:24","slug":"what-are-the-acceptable-formats-for-truncation-of-pan","status":"publish","type":"post","link":"https:\/\/pcidssguide.com\/what-are-the-acceptable-formats-for-truncation-of-pan\/","title":{"rendered":"What are the Acceptable Formats for Truncation of PAN"},"content":{"rendered":"\n\n\n\n\n
Truncated PAN must be protected according to PCI DSS requirements. Instructions for truncating the PAN are described in PCI DSS, specifically PCI DSS requirement 3.4.<\/p>\n\n\n\n
PCI DSS requirement 3.4 specifies that the PAN must be made unreadable wherever it is stored. In addition, PCI DSS sets out acceptable methods that can be used to meet this requirement. Truncating the entire PAN includes strong one-way hash functions, index tokens with securely stored pads, or strong encryption.<\/p>\n\n\n\n
A security compromise of cardholder account data could occur if the PAN is not truncated correctly. It’s critical to understand the requirements for PAN truncation if your company works with digital payments, stores PAN, or creates payment systems that store PAN.<\/p>\n\n\n\n
See Also: PCI Requirements For Storing Credit Card Information<\/strong><\/a><\/p>\n\n\n\n Truncating can be defined as the act of shortening something and is an acceptable method of making it unreadable if you are storing cardholder data.<\/p>\n\n\n\n It’s worth noting that truncation is a permanent operation instead of PCI DSS requirement 3.3, which mandates masking the PAN while it’s presented. Although truncation means making the PAN unreadable when stored, PCI DSS requirement 3.3<\/a> mentions the temporary masking of data when card data is displayed on paper receipts or screens.<\/p>\n\n\n\n According to the PCI Council, there are multiple truncation methods acceptable, which we will discuss in detail below.<\/p>\n\n\n\n PAN and other cardholder data should only be stored if they are required for legal, business, or regulatory reasons. Eliminating cardholder data storage is an easy way to avoid dealing with PCI DSS requirement three and reduce the overall scope of a PCI DSS audit.<\/p>\n\n\n\nWhat are the acceptable formats for truncating primary account numbers (PANs)?<\/strong><\/h2>\n\n\n\n