What are Keyed Cryptographic Hashes?

March 10, 2023 Sully Perella

You know that PCI DSS v4.0 is coming. You know that some of these changes are relatively benign. But do you also know that key cryptographic hashes are part of the standard?

In this video, we're going to discuss how key cryptographic hashes apply to organizations and what this means for your compliance.

Hi, I'm Sully Perella, a PCI practice leader here at Schellman, and I've been doing cryptographic operations and analysis for over 20 years. Even with all of this experience, there's a lot to consider when thinking about requirement 3.5.1.1 of the PCI DSS as version 4.

Now, historically, you were able to take a card value or other sensitive data, hash it and we're OK. You're meeting your standards to protect that card data. Well, on March 31st, 2025, that is no longer going to meet the requirements for the protection of cardholder data. Instead of just hashing the data, a keyed cryptographic hash is going to need to be applied to secure that data, which means that you're not just going to need a hash it, you also need to involve encryption.

Now, we're not going to go into that here, but it is something that many organizations need to be considering. Specifically organizations which provide

Tokenization services
Store hashes for card lookups
Maybe they store hashes for repeat transactions.

These are going to have big implications for both service providers and merchants alike. Let's talk about that a little further.

So, a company wants to have a recurring transaction and they want to store something (typically a token) to kick that back over to their service provider, to their acquiring bank so that transaction can occur.

They're going to store that token. That token has no value. This is great. This is a secure practice.

The struggle comes in where a organization, merchant or service provider uses a salted hash to protect the card data, which currently meets the standards. However, under the future requirement 3.5.1.1 that is not going to meet your compliance needs and a keyed cryptographic hash is going to not only be applied to the data that you're using now, but the data that you have stored historically, when we think about the amount of data that depends on hash values for card lookups or whatever, the implications are incredible.

So, instead of waiting until March 31st, 2025, to solve this problem, in which case you've done yourself no good. Start thinking about this now reach out to your QSA, talk to us and we can help you identify some solutions to protect your data and meet that requirement.

About the Author

Sully Perella is a manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Sully now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.
More Content by Sully Perella

How to Use Strong Protocols and Cipher Suites to Achieve PCI DSS Compliance with TLS v1.2

Defining the secure exchange of data is critical for PCI DSS compliance. To help you do that more easily, w...

Next Video

What to Ask Before Hiring a QSA

Stay up to date and discover new insights into compliance through our team’s thought leadership

What are Keyed Cryptographic Hashes?

About the Author

Previous Article

Next Video

What are Keyed Cryptographic Hashes?

About the Author

Previous Article

Next Video

Other content in this Stream

Having already assessed organizations against the new PCI DSS v4.0, we're publishing the insight gained to help you understand more of what's coming and boost your preparation for the new standard.

PCI DSS v4.0 is a big shift for everyone involved in payment transactions, but we explain what and why those specifically in the banking industry should take a closer look at the updated standard.

Defining the secure exchange of data is critical for PCI DSS compliance. To help you do that more easily, we break down all the elements, which ones are stronger than others, & how they work together.

Heard of P2PE but not sure where or how to dive in? We answer 7 common questions to get you started in understanding this complex encryption and its standard for compliance.

Still trying to make sense of PCI DSS 4.0? We break down 7 of the new and major requirements from an assessor's perspective so that you understand how to plan for them ahead of your transition.

Want to reduce your workload during your PCI DSS process? You may have options with the Self-Assessment Questionnaire (SAQ) to do so—we explain how payment processing plays a role in scope reduction.

The PCI SSC has published blogs and guidelines for when remote work is necessary, including the Remote Assessments and the Coronavirus blog that focuses on conducting remote PCI Assessments.

Among all the updates to PCI DSS 4.0, service providers are arguably affected the most. Learn about several of the big changes you'll need to prepare for during your transition to PCI DSS v4.0.