In Mike Dahn’s PCI Answers blog, a post was made over the break about the Secure hashing of PANs

As this blogger has said on many occasions before, hashing is a double edged sword.

Theoretically, you could create a hash that is as secure as a CipherText from an encryption algorithm. If you used a 10 kilobit salt (effectively the Key) plus the PAN, you would have something quite secure and would not run into issues with collisions. The problem is that you cannot change your keys without retaining the original PAN. If you did change your key, new hashes of the same PAN would not match old hashes.

Perhaps the biggest issue, people treat hashes differently then they do CipherText. Hashes are seen as “non-real values that cannot be reversed.” Unfortunately, you can subvert the complex math by building rainbow tables. Something we don’t see is symmetric encrypted values thrown around an organization in the same manner. Why? Just attitudes on treating certain data in certain ways I think.

If you could solve the key change issue, plus keep hashed computations secure like you would CipherText, then maybe we can make an apples to apples comparison.

This post originally appeared on