PAN Protection
Description
Primary Account Number (PAN) must be protected wherever stored using strong cryptography (encryption, truncation, tokenization, or hashing).
⚠️ Risk Impact
Stored PAN is the highest-value target in the CDE. PCI specifically requires PAN to be unreadable; reading-allowed storage is immediate fail.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.
🔧 Remediation
Tokenize PANs at ingress. Use cloud-managed KMS for encryption. Never log raw PAN. Truncate to first-6 + last-4 for display. Audit all PAN storage locations.
💀 Real-World Attack Scenario
A payment processor logged full PAN in their application logs 'for debugging'. The logs were shipped to a centralized SIEM. A SIEM-admin's credentials were phished; the attacker downloaded 8 months of logs containing millions of full PANs. Notification cost: $145/record × 2.4M records = $348M.
💰 Cost of Non-Compliance
Average PAN-exposure breach: $115-$200/record (varies by region + brand). 2.4M-record breach: $276M-$480M.
📋 Audit Questions
- 1.Where is PAN stored?
- 2.Is PAN tokenized at ingress?
- 3.What truncation/encryption is applied at storage?
- 4.Does any log file contain full PAN?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Full PAN logged 'for debugging' + log files retained indefinitely
- ⛔Tokenization vendor's tokens stored alongside the tokenization key
- ⛔Truncation to first-6 + last-4 stored in same column as full PAN
📈 Business Value
Tokenization eliminates PAN exposure entirely + reduces PCI audit scope.
⏱️ Effort Estimate
60-120 hours tokenization rollout per system
EchelonGraph scans for PAN patterns in logs + storage
🔗 Cross-Framework References
Automate PCI DSS 3.5 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →