Ask a QSA recently received the following Primary Account Number (PAN) Truncation query and felt that this may be of interest to our readers.
By Judith Clark, QSA Consultant
With the forthcoming increase of Bank Identification Numbers (BINs) from six digits to eight digits, are there any PCI DSS compliance issues with showing the first eight and last four of the PAN instead of the first six and last four when stored?
Card numbers today are generally made up of 15 or 16 digits with the truncation rule set at first six and last four being the only digits electronically stored as part of rendering the PAN unreadable (Requirement 3.4). The intention of truncation is to permanently remove a segment of PAN data, so that only a portion of the PAN is stored. This rule has been in place and unchanged for many years within the PCI DSS.
There are separate changes proposed within the payment card industry and banking industry to extend the PAN to up to 19 digits and to increase the BIN length to 8 digits to allow for a larger ‘address space’ for an almost depleted set of available BIN numbers and an ever increasing number of banks requiring a BIN.
The short answer is yes, however…
So, going back to the original question above: The short answer here is yes, there are issues. If the truncation rule were to change to allow storage of the first eight and last four digits, this would weaken security by reducing the number of digits left to be guessed. This assumes that the PAN remains at 15/16 digit length but, as the proposals are not linked, what of increasing the PAN length? Truncation techniques removing the first six and last four of a 16-digit PAN, would miss out the last three of a 19-digit PAN, resulting in a truncated stored PAN including 13 remaining digits instead of the usual 10 digits, unless the technology knows that the PAN length has increased.
As the extending PAN length and increasing BIN digit proposals are not linked, this could potentially cause havoc for all concerned. Merchants and service providers will need to consider changes to environment and technology (encompassing payment processing systems POS and CRM systems and truncations technologies) to be able to handle an increase in PAN lengths and the potential for the wrong digits to be stored due to incorrect truncation of digits. The changes to technology could become a costly exercise to bear including changes to terminals, payment applications, ecommerce platforms and PCI DSS compliance.
The Payment Card Industry Security Standards Council (PCI SSC) has issued truncation guidance on changes to PANs and BINs:
- For 16-digit PANs with an 8-digit BIN, Discover and Visa cards must have at least six digits removed with a maximum which may be retained of first six and any other
- For PANs with more than 16 digits but with a 6-digit BIN, Mastercard and Visa cards, must have at least six digits removed with a maximum which may be retained of:
- 17-digit PAN: first six and any other five
- 18-digit PAN: first six and any other six
- 19-digit PAN: first six and any other seven
The aforementioned applies to truncation and storage of PANs; however, we know that the same issues apply (including technology impacts and costs) to the display of PANs (on screen or hardcopy receipts, reports etc). In accordance with Requirement 3.3, the guidance for masking PANs when displayed to personnel with no legitimate business need are:
First six and last four are the maximum to be displayed.
Our panel of Security Professionals want your questions! If you have a query then please send us an email and we’ll answer it in a future issue. All submissions will be published anonymously.