PCI DSS allows hashing as a technique for tokenizing or protecting stored cardholder data, calling hashes “irreversible”. Interestingly PCI does not require using salts or other advanced hashing techniques to strengthen these hashes. Using oclHashcat with a custom patch of our own, a list of valid IINs, and a GPU cracking rig we will show how to reverse the supposedly irreversible one-way hashes of payment card numbers, ultimately demonstrating that we can completely crack a “PCI Compliant” database of hashed PANs in a few hours.