If both hashed and truncated versions of the same PAN exist in an entity's environment, what must be in place?

• A. No special controls are needed.
• B. Additional controls must be in place to ensure that hashed and truncated versions cannot be correlated to reconstruct the original PAN.
• C. You should delete either the hashed or truncated version.
• D. You should store them in separate networks only.

Answer: (B)

When both hashed and truncated forms of the same PAN exist, there is a risk that someone could use both representations together to deduce the original number. Hashing is meant to be irreversible, and truncation reduces detail, but if an attacker can access both versions, they may be able to link them and narrow down or reconstruct the PAN. To prevent this, you must impose additional controls that ensure the two forms cannot be correlated to reveal the original PAN. This can include keeping the representations in separate security domains with strict access controls, using distinct, non-linkable processing methods (for example, different salts or non-deterministic mappings), and enforcing strong encryption with proper key management and monitoring. The goal is that having both forms does not provide a reliable path to re-create the PAN.