I am wondering what are the risks associated with storing last 6 digits of a payment card as compared to the last 4 digits. In addition, will it have implications on PCI DSS compliance?
Asked
Active
Viewed 1,800 times
2 Answers
4
By point 3.4 of the PCI DSS guidelines, truncation is
generally not to exceed the first six and last four digits
, but specifically depends on whether it would become feasible to regenerate the full card number - for example, by using a hash of the same card number as a test to generate possible missing digits. Storing the first and last six digits would reduce a 19 digit card number to 7 redacted digits, which would be trivial to brute force if a hash was also provided. There is a specific note about this situation:
Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Furthermore, by point 3.3:
the first six and last four digits are the maximum number of digits to be displayed
In order to get an answer for your specific system, you'd need to get advice from a QSA - it's not impossible that you would be allowed to store six digits, but it would be advisable not to, and only a QSA would be able to sign off on the decision.
Matthew
- 27,233
- 7
- 87
- 101
4
Credit card numbers are generally 16 digits long.
The first 6 digits are 'usually' the BIN of the card. They identify what type of card it is (ABC Bank gold card, DEF Bank Debit Card...etc), and generally used for routing within the card network, so VISA/Mastercard know which Issuer to route the the transaction to.
This information is generally considered public, and you can find generic BIN ranges online.
The next 10 Digits are the card number. Which uniquely identifies the card to the issuing bank.
When it comes to how many of these 10 digits should be exposed, there are considerations. Expose too little and it'll be hard to identify individual transactions and individual cards, (troubleshooting nightmare).
Expose too much, and criminals can re-construct the card number.
General PCI advice is to expose 'no more' than 4, with guidance on reducing this if you don't need 4 digits. This way, the number of masked digits is 6.With a possible range of 000000 - 999999 or 1,000,000 possible permutations.
If you expose 6 digits, then the number of masked digits is only 4 (10-6). And the possible range of card numbers reduces by 100x, to just 0000 - 9999 or 10,000 possible permutations. This is generally low enough for someone to brute-force guess the card number through some other means.
In short, don't do this. 4 Numbers is generally fine, and the lower the better, but don't do 6. You'll not only be non-compliant with PCI, you'll put your customers (or customers of your customers) at risk.
keithRozario
- 3,571
- 2
- 12
- 24