Frequently Asked Questions

< Back to search page

Are truncated Primary Account Numbers (PAN) required to be protected in accordance with PCI DSS?

FAQ Response

Systems that store only truncated PANs (where a segment of PAN data has been permanently removed) may be considered out of scope for PCI DSS if that system is adequately segmented from the cardholder data environment, and does not otherwise store, process or transmit cardholder data or sensitive authentication data. However, the system performing the truncation of the PANs, as well as any connected systems and networks, would be in scope for PCI DSS. Note: Access to different truncation formats of the same PAN greatly increases the ability to reconstruct full PAN, and the security value provided by an individual truncated PAN is significantly reduced. If the same PAN is truncated using more than one truncation format (for example, different truncation formats are used on different systems), additional controls should be in place to ensure that the truncated versions cannot be correlated to reconstruct additional digits of the original PAN.

March 2009
Article Number 1117