ISC2 Governance, Risk and Compliance (CGRC) Practice Question

PCI DSS Requirement 3.4 demands that stored primary account numbers be rendered unreadable by methods such as strong cryptographic encryption, truncation, hashing, or tokenization. Because the organization needs to retain the complete PAN to process recurring transactions, options that discard part of the number (masking or truncation) would make the data unusable for subsequent billing. Tokenization could remove the PAN from the application database entirely, but storing the token-mapping table (which contains the original PAN) on the same, unprotected server would leave the PAN exposed unless additional encryption controls were applied; therefore, the stated tokenization option is insufficient as written. Encrypting the PAN with industry-accepted strong cryptography and protecting the cryptographic keys in accordance with PCI DSS key-management requirements ensures the data remain unreadable to unauthorized parties while still allowing lawful decryption for business use, making it the only fully compliant choice among the options provided. Simply placing the plaintext database behind a firewall does not satisfy the mandate to render the PAN unreadable.