If your business accepts credit card payments, you have probably heard of the Payment Card Industry Data Security Standard (PCI DSS) and the term “PAN data.” PAN is an acronym for primary account number. It refers to the unique payment card number that identifies the issuer and the cardholder account. This information is protected under PCI DSS.

Storing your customers’ entire PAN data drastically raises your company’s security risk. Moreover, it hinders PCI compliance because it requires a series of additional steps to prevent data breaches of stored PAN. PCI DSS requirement 3.4 states that all merchants must use one of the following methods to render PAN unreadable and unrecoverable:

  • Strong cryptographic one-way hashes of the entire PAN
  • PAN truncation
  • Index tokens and pads
  • Key-management processes and procedures backed by strong cryptography

Meanwhile, PCI DSS requirement 3.3 requires that the PAN data be masked when displayed. This way, the only digits of the PAN visible are the first six and last four, so that only authorized individuals with legitimate business needs can see the rest of the information.

What Is the Difference Between PAN and Cardholder Data?

In its official glossary, the PCI Security Standards Council (PCI SSC) states: “At a minimum, cardholder data consist of the full PAN.” This may seem to suggest that cardholder data and PAN data are interchangeable terms, but they are not. Cardholder data can also include the cardholder name, service code, expiration date, and sensitive authentication data (SAD).

In other words, PAN data is only one part of cardholder data, among many other parts. Yes, PAN data must be protected according to the PCI SSC regulatory standards, but PAN information has tighter protection regulations than the majority of cardholder data for its storage.

What Is the Process of PAN Data Protection?

PCI DSS requirements 3.3 and 3.4 describe the practices required within the cardholder data environment for storing PAN data. These personal data protection processes have the same objective (to make the data unreadable) but vary in the method of achieving secure data storage.


Masking is display protection for the PAN data that limits the amount of visible information when validating information or extracting information for display. This process masks PAN digits with Xs or other symbols, leaving only the first six and last four digits visible on documents and screens. It’s important to note that a masked PAN can be unmasked.


Truncation also displays no more than the first six and last four digits, but differs from masking because part of the PAN is literally removed from the data set. In the event of a data breach, the truncated segments of PANs have no value and cannot be used in any way.

One-Way Hashing

This encryption method relies on a hash function to convert the PAN into a unique data string, assuring that every PAN has a different result. This hash value is irreversible and commonly used in card-not-present transactions for later verification of such information. Even if there is no way to decrypt the hash, the PAN itself will have the same hash.


Encryption is a process similar to PAN storing protection since there is a change between the PAN digits entered and the string stored in the servers. In this case, the data is encrypted using cryptographic keys, which can reverse the function and access the encrypted information. These encryption keys are securely stored, protecting the PAN information.


Tokenization is a middle ground between one-way hashes and encryption. It replaces the original PAN with a surrogate string, a token. Tokens can be calculated directly from the PAN, similar to one-way hashes, or randomly generated.

What Is PCI DSS Compliance?

The Payment Card Industry Data Security Standard applies to any business that stores, processes, or transmits cardholder data, especially in the case of PAN data. Consequently, PCI compliance is essential to avoid fines imposed by financial institutions or credit card issuers for poor cybersecurity.

The PAN data protection requirements are an essential part of PCI compliance, but they aren’t the only requirements within the PCI DSS. Organizations must invest in PCI compliance management to reduce the reputational and financial risk related to non-compliance with this standard.

Discover How ZenGRC Helps With Compliance

You’ll need the correct tools to demonstrate PCI DSS compliance. Spreadsheets and other antiquated risk management techniques can cause confusion, redundancy, and hazardous gaps in your data security procedures.

ZenGRC is a software platform designed to make compliance more straightforward than ever before, whether you’re completing a self-assessment or preparing for an audit. ZenGRC helps expedite your compliance process and assures that no detail is overlooked by centralizing your information and automating assignments and requests.

Its single source of truth ensures your organization is always audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards give visibility to gaps and high-risk areas.

ZenGRC also connects effortlessly with various tools, moving data for you and mapping controls to all of your compliance standards, whether PCI, HIPAA, SOC, and others.

With ZenGRC, you can let the software handle the tedious tasks of compliance while you focus on the big picture. Schedule a demo today!