• Skip to primary navigation
  • Skip to main content
  • Skip to footer
ControlCase No Tag LOGO md

ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

  • Company
    • About Us
    • Careers
    • Locations
    • Team
  • Industries
    • Business Process Outsourcing
    • Cloud Service Providers
    • Retail
    • Telecom | Entertainment
  • Certifications
    • PCI DSS Certification
    • CSA STAR Certification
    • GDPR Assessment
    • HIPAA Assessment
    • HITRUST Certification
    • ISO 27001 Certification
    • FedRAMP 3PAO Services and NIST 800-53
    • CMMC Compliance: NIST 800-171
    • MARS-E Assessment
    • P2PE Certification
    • PA DSS Certification
    • SOC2 Report
  • Solutions
    • Continuous Compliance Solution
    • One Audit
    • Card Data Discovery Software
    • Data Security Rating
  • Testing
    • Application Reviews
    • Application Security Training
    • Code Reviews
    • Card Data Discovery
    • External Vulnerability Scans
    • Firewall Security Reviews
    • Internal Vulnerability Scans
    • Log Monitoring
    • Penetration Testing
  • Resources
    • Events
    • News
    • Webinars
    • Courses
    • Newsletters
    • Blog
  • Contact Us

Be aware if you are storing Card Numbers using hashed and truncated version of PAN

You are here: Home / Blog / Be aware if you are storing Card Numbers using hashed and truncated version of PAN

A payment application designed to store both hashed and truncated PAN (card number) is required to have additional controls to prevent their correlation.

Many times, PCI DSS QSAs know the requirements but do not have examples/demonstrations to make customers understand the impact of lapse of the specific control. This blog is an example where QSA can make customers realize how easy it is to correlate hashed and truncated versions of the card numbers to obtain clear text PAN.

With less than 6 lines of python code, hashed and truncated PAN in correlation could easily be brute-forced and the attacker could get the original PAN.

To accomplish this, we should know the first 6, the last 4 digits of the card number, and then the attacker would have to guess (brute-force) only 10 digits.  Since the card number length is only 16 digits, this should be very easy, and can also extend to other card lengths.

Please see below Proof of Concept (POC). This is for 1 test card number of 16 digits and SHA-512 hash.  For multiple rounds of execution, average time is of approx. 1 sec to get the original PAN.
brute_force_hash
As a QSA, one should always ask the clients to store truncated PAN and hashed value separately and use a salted hash.

Per PCI DSS Requirement 3.4e, if the hashed PAN and Truncated PAN of the same credit/debit card number exists in the same environment, then there must be additional security controls present to prevent the reconstruction of original PAN.

There is further guidance provided by PCI SSC in their FAQ – How can an entity ensure that hashed and truncated versions cannot be correlated, as required in PCI DSS Requirement 3.4?

These QSA’s perform comprehensive PCI compliance assessments that relate to the protection of customer SAD such as PAN. To know more about protecting cardholder data and PCI DSS certification, visit our PCI DSS Certification page.

Credits:
Varun Kaushik
VP – APAC Continuous Compliance, ControlCase.

About Us

ControlCase is a global provider of technology-driven compliance and security solutions. ControlCase is committed to partnering with clients to develop strategic information security and compliance programs that are simplified, cost effective and comprehensive in both on-premise and cloud environments.

ControlCase provides the best experts, customer experience and technology for regulations including PCI DSS, GDPR, SOC2, HIPAA, ISO 27001/2, CCPA, SWIFT, Microsoft SSPA, CSA STAR, SCA, PA DSS, PCI P2PE, PCI PIN, PCI 3DS, PCI Secure Software, PCI Secure SLC.

https://www.controlcase.com

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

Footer

Connect

Corporate Headquarters
12015 Lee Jackson Memorial Hwy, Suite 520, Fairfax, VA 22033

Send us a message

Call Us

About Us

ControlCase is a United States based company, headquartered in Fairfax, Virginia with locations in North America, Europe, Latin America, Asia/Pacific and the Middle East to serve our clients globally.

Quick Links

  • Company
  • Team
  • Careers
  • Locations
  • Covid-19 Notice

Certifications, Assessments and Reports

  • PCI DSS Certification
  • CSA STAR Certification
  • GDPR Assessment
  • HIPAA Assessment
  • HITRUST Certification
  • ISO 27001 Certification
  • FedRAMP and 3PAO Services
  • MARS-E Assessment
  • P2PE Certification
  • PA DSS Certification
  • SOC2 Report

© ControlCase LLC 2023 | Privacy Policy | Impartiality Statement | Legal Notices