The Tricks of Storing PAN Data
The PAN is an acronym which most people don’t understand its meaning. It stands for Primary Account Number, and it is necessary to protect and safeguard such information. It is obligated by the PCI DSS, to conceal the data, to avoid exposing the customers’ personal information. Storing PAN increases the risks in your business, and if you have not a business reason to store, leave it.
If you have to store PAN data, then you have to comply with the PCI DSS requirements 3.4. This is are policies laid down to guide on safeguarding both the users and the clients. The storage has to be done in a way that the card data is unreadable, through the following methods:
- One –way hashes based ion strong cryptography
- Index tokens and pads
- Strong cryptography with associated key-management processes and procedures
The following paragraph illustrate the examples of hashing in action.
Card-not-present transaction with card-present verification at time of pick-up: If you book for a rail ticket online, one is required to produce the real card when collecting the ticket. This is used for verification purposes, to ensure you are the real person who made the ticket request. The kiosk attendant might ask you to insert the card. To avoid storage of PAN data, the rail attendant can choose to store hashed data.
Recurring payment transactions: Another illustration is in fraud management system that is able to store only has values of PAN data. By storing only hash values of PAN data within the Fraud Management system you are not exposing real PAN data, even to fraud analysts.
How storage of PAN influence the scope of compliance
The only way to save yourself from PCI DSS compliance complication is to evade storage of PAN data. Engaging in this activity would require a lot of validation, to ascertain you’ve really adhered to the set down procedures.
Aligning your business requirements with a reduced PCI Scope
Enhancing security of stored PAN data, is a sophisticated endeavor to engage into. However, if your business has a true need to do so, then it’s worth to get it right.