ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your organization is building a customer analytics application on a public IaaS platform. Order records include payment card primary account numbers (PANs). Compliance requires that (a) no real PANs be stored in any cloud-hosted component, (b) authorized finance staff must be able to recover the original PANs from headquarters when needed, and (c) the cloud database must still support joining transaction records on a persistent surrogate value. Which data-protection design best fulfills these requirements?
Replace each PAN with a random, format-preserving surrogate generated by an on-premises tokenization vault that retains the mapping table, and store only the tokens in the cloud.
Encrypt each PAN in the application using format-preserving AES-FFX and store the ciphertext in the cloud; keep the master key in an on-premises HSM.
Apply deterministic client-side encryption to the PANs so identical values can still be joined in the cloud database.
Hash each PAN with SHA-256 and a secret salt before uploading the record, storing the salt securely on-premises.
Using a vault-based tokenization system meets all stated requirements. Each PAN is replaced before leaving the enterprise boundary with a randomly generated surrogate token that keeps the same data type/length, so the cloud database can store and index the token for joins without exposing the real PAN. Because the mapping table that links tokens to real PANs is held in an on-premises secure vault, no sensitive cardholder data or encryption keys are present in the cloud, keeping the environment out of PCI DSS scope. Finance staff can retrieve the original PAN by submitting an authenticated request to the vault for detokenization.
Format-preserving or deterministic encryption would still leave cryptographically derived PAN values in the cloud; under PCI DSS, encrypted PANs are still considered cardholder data, and encryption keys must be protected. Secure hashing is one-way and cannot support recovery of the original PAN, failing requirement (b). Database masking alone only hides data at presentation time; the underlying PANs still reside in the cloud database, violating requirement (a).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is tokenization in the context of data security?
Open an interactive chat with Bash
What is format-preserving encryption (FPE) and why is it not ideal for this scenario?
Open an interactive chat with Bash
Why is hashing PANs with salt unsuitable for meeting compliance in this scenario?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Data Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .