Creditcard store first six digits PCI reference

Considering your questions indicate you are already processing card holder data, either by transfering PANs or storing (partial) PANs, you fall in the category of SAQ-D. So this means you should be already undergoing PCI audits (provided you have over 300k transactions annually), so best is to check with your QSA and see what they say.


The first 6 digits are not extremely sensitive information. They comprise the IIN or Issuer Identification Number (https://en.wikipedia.org/wiki/Bank_card_number). The last four digits are also not considered sensitive information. In fact the first six and last four are the maximum number of digits that are allowed to be displayed (see PCI DSS 3.3 https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf All other PCI number references come from this document).

However the EXP Date + PAN IS considered sensitive information. Page 2 of this document has a nice explanation of storage procedures (https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf).

In addition 3.4 applies in this case. You have rendered the number unusable through truncation (although the Luhn Checksum allows for the number to be guessable). However you must protect the EXP Date and it is recommended (note that it does not appear to be required) to not store the truncated PAN in plan text but to stack protection with one way hashing or encryption.


I you mixed the meaning of the different requirements and have a certain confusion.

Requirements 3.3 "Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)." talks about display not storage ! if you mask the PAN it provides a solution for this requirement.

Requirements 3.4 3.4 Render PAN unreadable anywhere it is stored ..." talks about storage not display !

You wrote "I need to store masked PAN" masked PAN is related with Requirement 3.3. and storage is related with requirement 3.4 to fulfill this requirement you can use one way hash / truncation / cryptography / token

Tags:

Pci Dss

Credit Card

Related

Cisco Registered Envelope Service (CRES), big security flaw? How to prevent username and password matches when changing a username? Recreating uploads/linked images with imagecreatefrom* php Can address details be "googled" from the whois information, without knowing the domain name? Anonymous surveys that aren't so anonymous Best practices for automatic login URL's? What leaked mass surveillance capabilities have not been explained by vulnerabilities we have learned about since 2014? Will quantum computers render AES obsolete? Use multiple computers for faster brute force The history of thumbnails (or just a previous thumbnail) is embedded in an image file? Why is weakness of SHA-1 considered a threat to TLS security Is it possible to detect security breaches as a user before they're announced?

Recent Posts