Frequently Asked Questions

< Back to search page

Must payment applications ensure that hashed and truncated versions cannot be correlated?

FAQ Response

Yes, a payment application designed to store both hashed and truncated PAN is required to have additional controls to prevent their correlation, as noted in PA-DSS Requirement 2.3.  This is to support PCI DSS Requirement 3.4 for entities using the payment application.

Refer to FAQ “How can an entity ensure that hashed and truncated versions cannot be correlated, as required in PCI DSS Requirement 3.4?” for further information.

November 2014
Article Number 1309