What are Keyed Cryptographic Hashes?

You know that PCI DSS v4.0 is coming. You know that some of these changes are relatively benign. But do you also know that key cryptographic hashes are part of the standard?

In this video, we're going to discuss how key cryptographic hashes apply to organizations and what this means for your compliance.

Hi, I'm Sully Perella, a PCI practice leader here at Schellman, and I've been doing cryptographic operations and analysis for over 20 years. Even with all of this experience, there's a lot to consider when thinking about requirement of the PCI DSS as version 4.

Now, historically, you were able to take a card value or other sensitive data, hash it and we're OK. You're meeting your standards to protect that card data. Well, on March 31st, 2025, that is no longer going to meet the requirements for the protection of cardholder data. Instead of just hashing the data, a keyed cryptographic hash is going to need to be applied to secure that data, which means that you're not just going to need a hash it, you also need to involve encryption.

Now, we're not going to go into that here, but it is something that many organizations need to be considering. Specifically organizations which provide

  • Tokenization services
  • Store hashes for card lookups
  • Maybe they store hashes for repeat transactions.

These are going to have big implications for both service providers and merchants alike. Let's talk about that a little further.

So, a company wants to have a recurring transaction and they want to store something (typically a token) to kick that back over to their service provider, to their acquiring bank so that transaction can occur.

They're going to store that token. That token has no value. This is great. This is a secure practice.

The struggle comes in where a organization, merchant or service provider uses a salted hash to protect the card data, which currently meets the standards. However, under the future requirement that is not going to meet your compliance needs and a keyed cryptographic hash is going to not only be applied to the data that you're using now, but the data that you have stored historically, when we think about the amount of data that depends on hash values for card lookups or whatever, the implications are incredible.

So, instead of waiting until March 31st, 2025, to solve this problem, in which case you've done yourself no good. Start thinking about this now reach out to your QSA, talk to us and we can help you identify some solutions to protect your data and meet that requirement. 

About the Author

Sully Perella

Sully Perella is a manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Sully now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.

More Content by Sully Perella
Previous Video
What Should I Do First? ISO 27001 or SOC 2?
What Should I Do First? ISO 27001 or SOC 2?

Next Video
Schellman's ISO Capabilities
Schellman's ISO Capabilities