Home · Synthesis · cl-pan-protection

PCI DSS PAN protection — storage minimisation, masking, encryption

CSA CCM v4 DPDPA NIST CSF 2.0 PCI DSS SOC 2 ISO 27001 RBI CSF RBI DLG/PA

Primary statement

PAN (Primary Account Number) protection per PCI DSS v4.0.1: (1) storage limited to legitimate business need; SAD not retained after authorisation (PCI 3.1 + 3.3.1); (2) PAN masked when displayed — first six + last four maximum visible (PCI 3.4.1); (3) PAN rendered unreadable wherever stored via one-way hash, truncation, index tokens, or strong cryptography (PCI 3.5.1); (4) keyed cryptographic hashes (HMAC/CMAC) covering full PAN (PCI 3.5.1.1 — future-dated); (5) disk-level encryption restricted to removable media only (PCI 3.3.1.3).

Audit-fatigue payoff

A unified PAN protection programme — storage minimisation register + masking enforcement + cryptographic rendering + key management — satisfies PCI DSS PAN requirements end-to-end. PCI DSS Requirement 3 IS the audit framework for this cluster; no other framework provides equivalent depth.

Strictness matrix

Scope

Scope: PAN wherever stored — production, non-production, backups, archives, paper, logs, derived datasets. ALL storage locations in scope. SAD not retained after authorisation under any circumstance. Ceiling source: pci_dss:PCI.3.5.1 Rationale: PCI DSS 3.5.1 "wherever stored" scope is the broadest.

Threshold

Display threshold: first six + last four maximum visible. Personnel with legitimate need to see full PAN documented with business justification. Storage threshold: rendered unreadable via hash / truncation / index token / strong crypto. Ceiling source: pci_dss:PCI.3.4.1 Rationale: PCI DSS 3.4.1 first-6/last-4 masking threshold is the binary display test.

Method

Method: (1) PAN inventory across all storage locations; (2) SAD purge after authorisation; (3) storage minimisation per legitimate business need; (4) masking at display per PCI 3.4.1; (5) PAN rendered unreadable per PCI 3.5.1 — one-way hash (full PAN coverage per 3.5.1.1), truncation, index tokens, or strong cryptography; (6) keyed cryptographic hash (HMAC/CMAC) for hash approach (future-dated 3.5.1.1); (7) disk-level encryption restricted to removable media (3.3.1.3); (8) key management per cl-cryptography-mgmt. Ceiling source: pci_dss:PCI.3.5.1 Rationale: PCI DSS Requirement 3 controls combine to the comprehensive method.

Frequency

PAN discovery scan: at least quarterly (consistent with PCI DSS internal scan cadence). Storage minimisation review: annual + on processing change. Key rotation: per documented cryptoperiod (typical: annual to bi-annual for encryption keys). Ceiling source: pci_dss:PCI.3.1 Rationale: Quarterly PAN discovery scan is the audit-defensible cadence.

Evidence

Required evidence: (1) PAN inventory across all storage locations; (2) SAD purge configuration evidence; (3) storage minimisation business-need register; (4) PAN masking enforcement evidence (sample displays); (5) PAN rendering approach per location with implementation evidence; (6) for hash approach, keyed cryptographic hash configuration (3.5.1.1); (7) PAN discovery scan reports (quarterly); (8) key management evidence (cl-cryptography-mgmt). Ceiling source: pci_dss:PCI.3.5.1 Rationale: PCI DSS 3.5.1 evidence list is comprehensive.

Auditor test pattern

Step 1: Inspect PAN inventory across all storage locations. Step 2: Verify SAD purge after authorisation. Step 3: Sample 3 display points; verify masking (first 6 + last 4). Step 4: For each storage location, verify PAN rendering approach (hash, truncation, index, crypto). Step 5: For hash approach, verify keyed cryptographic hash (HMAC/CMAC) per 3.5.1.1. Step 6: Inspect quarterly PAN discovery scan results. Step 7: Verify disk-level encryption is restricted to removable media only.

Common findings

Common 2024–26 findings: (1) PAN found in unexpected locations (logs, support tools, non-production); (2) SAD retained briefly post-auth in session logs; (3) Disk-level encryption used on non-removable media — fails 3.3.1.3; (4) Hash approach without keyed crypto — fails future-dated 3.5.1.1; (5) Masking inconsistent across UIs; (6) PAN discovery scan annual, not quarterly; (7) Storage minimisation business-need register absent.