83

I visited a local McDonald's, and I noticed part of my Visa number repeated on the receipt like this: NNNN NN__ ____ NNNN. (So out of a total of 16 digits it breaks down like this: First six digits revealed, middle six digits hidden, final four digits revealed again.)

So only 6 digits were hidden. Finding the correct number would take 1.000.000 guesses, but there is also a checksum that further decreases the number of guesses needed to 100.000 (by my, possibly wrong, calculation).

Is there a policy on how many digits can be revealed? Could cards be in danger if companies hide only the six middle digits?

AviD
  • 72,138
  • 22
  • 136
  • 218
SimZal
  • 903
  • 1
  • 6
  • 5
  • 7
    The first few numbers identify the card and issuer, so they are common among all cardholders (and easy to determine if you see the graphics on the card). The last 4 digits unmasked for your convenience. I'm not sure what risks there could be if someone was able to brute force the masked numbers. – schroeder Dec 12 '16 at 07:31
  • @schroeder Thanks, I was being paranoid in light of brute forcing reports (cvv and expiry dates) of credit card info. There are probably many easier ways to obtain credit card info. – SimZal Dec 12 '16 at 07:52
  • 1
    The first 6 digits are the [IIN](https://en.wikipedia.org/wiki/Payment_card_number#Issuer_identification_number_.28IIN.29), so they're public domain. Per PCI they can be shown along with the last 4 digits. – Mark Dec 12 '16 at 11:33
  • Additionally, the final number is just a checksum number anyway. If you do the fancy maths thats needed to check if a card number is valid, you should get that last digit as your result :) – Takarii Dec 12 '16 at 14:19
  • 4
    @Takarii : But exposing that last digit means that the brute-forcer has to guess one less digit - they can work out what it should be to get the guard digit correct. – Martin Bonner supports Monica Dec 12 '16 at 17:18
  • @MartinBonner Thats true, but also keep in mind that a _valid_ number isnt nessecarily an _active_ one. With expiration and valid from dates thrown in, it is possible for multiple people to have the same card number. – Takarii Dec 13 '16 at 08:34
  • What bothers me more about this is that a receipt from one merchant will sy my card number is NNNN NN** **** NNNN and the receipt from another merchant will say **** **NN NNNN ****. (Or some variation on this where with enough receipts showing different parts of the number, it's possible to piece together the whole number) – Michael Dec 13 '16 at 17:00
  • 7
    @Michael That shouldn't be an issue. The ones that were shown and weren't shown weren't chosen randomly and the middle numbers should NEVER be printed on any receipt from any merchant. The first 6 numbers are the card type and bank the card is with so aren't really secret information anyway. The last four are specifically the ones left visible so you can tell which card you used. That is the standard for all credit cards. – Evan Steinbrenner Dec 13 '16 at 21:17
  • 3
    On the flip side, scammers will sometimes use the opposite of the convention and if e.g. targetting Ireland use `4319 XXXX XXXX XXXX` which would cover pretty much all VISA debit and some VISA Credit cards in that area (other codes are equally common elsewhere). Someone unfamiliar with the numbering schemes but familiar with the general idea of disclosing 4 digits could, the idea goes, be fooled into thinking it must really be them. – Jon Hanna Dec 14 '16 at 02:21

7 Answers7

107

As per PCI, the first 6 (BIN) and the last 4 can be shown, others should be masked:

From an official 2008 PDF: PCI Data Storage Do’s and Don’ts:

Never store the personal identification number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed. The first six and last four digits are the maximum number of digits that may be displayed.

PAN is Primary Account Number

So as far as compliance goes, the data terminal used to print the receipt is compliant.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
Burhan Khalid
  • 926
  • 1
  • 6
  • 4
  • 1
    I've always found PCI rules quite interesting when applied to Card Numbers with only 13 digits and using the Luhn Check. I also seem to remember that the US may have a different regulation in place? – Matthieu M. Dec 12 '16 at 10:21
  • 4
    PCI states the _maximum_ not the minimum. You as long as you don't display more than what is mandated by PCI, you are considered compliant. I remember in the US sometimes only the last 4 are shown. – Burhan Khalid Dec 12 '16 at 10:22
  • 32
    @BurhanKhalid Showing last 4 only is not much safer than showing first 6 and last 4. Because the first 6 are the issuer identification number, and there may not be that much actual variation in them. – Mike Scott Dec 12 '16 at 10:37
  • 7
    @MikeScott But as we can see, merchants still may wish to only show the last four, for reasons completely unrelated to security: to avoid alarmed questions from their customers. ;) (FWIW, it is most common in Canada to only show the last four digits on receipts. Whether this is due to a regulation or industry practice, I don't know.) – SevenSidedDie Dec 12 '16 at 22:07
  • 4
    Some companies use those digits as validation. So even that may be a liability. See the [tale of Mat Honan](https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/). – Mindwin Dec 13 '16 at 13:21
  • Note that there's a difference between what can be printed on the customer receipt and what can be on the merchant receipt. The merchant will often have the full PAN printed on their receipt - this can then be used for disputes, refunds etc. – AndyMac Dec 13 '16 at 14:45
  • Even if it's permitted, it's a **really** bad idea to show both the BIN and the last four. I've had cards where all but the BIN and the last five were zero! – R.. GitHub STOP HELPING ICE Dec 13 '16 at 16:21
  • The first 6 digits are used as a routing code. There aren't too many of them in use, as there are not that many processors. A good part of the range is reserved. https://en.wikipedia.org/wiki/Payment_card_number – HiTechHiTouch Dec 14 '16 at 09:14
  • For some people, including myself, have the first 6 (or 4) would be better than the last. When I need to update a card with a merchant (e.g. the last round of re-issues in the US to add the chip) I need to know the BANK (BIN) for the card they have. The last 4 digits of the old card they have on file are gone -- destroyed with the old card. – HiTechHiTouch Dec 14 '16 at 09:17
  • Better protection is to list the first 4, as they are the same for many many people who have accounts from the same issuer/processor. A recent attack on Visa (didn't work on Mastercard) took advantage of the fact there are only a few "first six" in common use, plus the ability to "test" card numbers by placing only a couple of orders each accross many different sites. No security trap sprung on individual sites, as the invalid attempts count on each individual site was "acceptable", and Visa did not aggregate failed attempts the same "last 4" to recognize a distributed attack was in progress – HiTechHiTouch Dec 14 '16 at 09:23
20

Just remember that sensitive does not mean secret. The card number is "sensitive" because it can be used to initiate financial transactions, but it is not secret. Only the PIN code is.

Earlier, the full number was written down on the receipt, like the full account number is written on a check. As online businesses use only VISA card numbers without validation, banks realized that the risk of fraud was too high and chose to partially hide the information on the receipt. But the full card number is known (or at least accessible) to almost any employee of a website where you have initiated an on-line purchase.

TL/DR: if the bank is too lazy to hide the card number on a printed receipt it is their problem, not yours. As you are not responsible for that, there is no negligence from you.

Jedi
  • 3,906
  • 2
  • 24
  • 42
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • Actually it's a receipt from Mcdonals, not a bank. Thanks for the explanation, I guess my card is safe for now. :) – SimZal Dec 12 '16 at 07:58
  • 18
    "if the bank is too lazy to hide the card number on a printed receipt it is their problem, not yours". That implies a very poor definition of "problem". Just because it's the bank's responsibility to fix the mess doens't mean that it's not the customer's problem, too. If shoddy practices at my bank led to any significant amount of fraud on my account, I'd definitely have a problem with that, and I'd take my money somewhere else. – David Richerby Dec 12 '16 at 10:35
  • 1
    @SimZal the receipt may be printed at McD. but who told the machine what to print was the bank. They can even print promotional statements like 'your purchase won $100 in credits' at will. – Mindwin Dec 12 '16 at 10:55
  • @Mindwin Thanks, I didn't know banks have control over this part of payment. – SimZal Dec 12 '16 at 12:43
  • @SimZal For example, i have a credit card (my own) and a supermarket prepaid benefits card from the same card company (the prepaid card is charged by my employer - perks!!). Both work on the same POS machine. When I use the supermarket card, the receipt has the remaining balance printed. – Mindwin Dec 12 '16 at 15:37
  • @SimZal by bank you can understand either bank OR card company. YMMV – Mindwin Dec 12 '16 at 15:38
  • 2
    @SergeBallesta Actually, PCI compliance requires that credit card info is masked except upon first input even internally within a company that does its own credit card processing; trusted IT employees would still have access, but not other employees. If you use an external vendor for card processing (as many smaller websites do), then you never even see the real credit card number: just a one-time transaction number. – jpaugh Dec 12 '16 at 22:51
  • 4
    "But the full card number is known (or at least accessible) to almost any employee of a website where you have initiated an on-line purchase." I seriously doubt this claim. Only employees with direct access to the storage system that holds your card number should have that kind of access (DBAs, for instance), and a not insignificant number of businesses outsource the entire process of accepting a credit card transaction to services like PayPal or Authorize.NET to avoid all the compliance hassles. Do you have a source for this? – jpmc26 Dec 13 '16 at 00:18
  • 2
    This answer is almost totally wrong. As a developer for websites that take credit card transactions I can state that PCI states that NO ONE, even trusted employees have access to both the PAN and the PIN. The PAN must be discarded very early on and an PIN can never be stored. Even card readers are supposed to encrypt the E-TRACK data. Further more a bank has no access to receipt printing. Even in ATMs (the ATM vendor can and the bank can ask for a format, but they don't actually have direct control over the receipt). – coteyr Dec 13 '16 at 05:23
  • @coteyr: PIN must not be stored or displayed, but 3.3 says "only personnel with a legitimate business need can see [unmasked PAN]" and 3.4 allows storing it encrypted among other options. I doubt a QSA will sign off on "almost any employee" having legitimate business need, but clearly _some_ people can be in this category, if the merchant justifies it. OTOH the general guidance is to not store more than you need, and if you use a P2PE reader, or EMV, you never _have_ a clear PAN. – dave_thompson_085 Feb 04 '18 at 17:43
12

In the USA, the Fair and Accurate Credit Transactions Act of 2005 (FACTA) prohibits printing more than five digits of a credit card number. So while your receipt complies with PCI regulations, it wouldn't comply with the law if you were in the US. However your profile says you're in Slovenia, and I'm not aware of any similar Slovene or EU laws.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35
  • 4
    I got this receipt in Thailand, I guess their standards are a bit lower than in US. – SimZal Dec 12 '16 at 12:52
  • Is this a credit card? And does the US law apply to chip and pin cards? – Tim Dec 12 '16 at 17:58
  • According th=o a Wall Street Journal article last week, the limit is 4, not 5. – HiTechHiTouch Dec 14 '16 at 09:11
  • 2
    @HiTechHiTouch The limit according to the text of the law is 5, and specifically the last 5. – Xander Dec 14 '16 at 16:44
  • @Simzal Given the comments on US law, **as** they allow the last 5 digits by US law, contravening PCI "last 4" allowance, **and as** the 1st 6 can be derived with relative ease, **Then:** US law is (1) non compliant with applicable US standards and (2) less good than what your receipt does. – Russell McMahon Dec 15 '16 at 07:50
  • @Xander Please provide a source reference, acceptable for a Wiki article. Thanks! – HiTechHiTouch Dec 15 '16 at 15:16
  • @HiTechHiTouch I did. The source reference is the text of the law. – Xander Dec 15 '16 at 15:25
7

Since there's about 1 billion of Visa cards in circulation worldwide (there were 883.5 millions in 2012) and each card has 14 unique digits (the first one is always 4 and the last one is the checksum), it would take 50.000 guesses on average to find a valid number without any prior info.

Suchwise, if the hacker is not interested in guessing your number in particular, he will most likely simply ignore your receipt even if he got it.

Dmitry Grigoryev
  • 10,072
  • 1
  • 26
  • 56
  • Don't you also need the name of the holder and the expiration date to perform a pinless transaction? – T. Verron Dec 15 '16 at 13:34
  • @T.Verron You do (and having that secret CCV code won't hurt either). My point is that the potential criminal won't even get significantly closer to a complete card number. – Dmitry Grigoryev Dec 15 '16 at 13:38
  • I understand your point, I should have been more clear. My point is that the extra required information could give an attacker enough reason to be interested in guessing the specific number for the receipt (for example if he knows or can social-engineer the name of the holder) instead of "any" number. – T. Verron Dec 15 '16 at 13:48
  • Yeah, I didn't read your question like that at all ;) Anyway, **you're right that in this particular case the attacker will have much less guesses to try**. Still, I would argue the situation where the attacker knows most of your CC details but not the full number is quite unusual, and nothing in the question suggests it might be the case. – Dmitry Grigoryev Dec 15 '16 at 13:57
  • 1
    I can't imagine him knowing the CCV code and the expiration date without knowing the full card number, indeed. Knowing *only* the CCV code and the name of the holder is possible though, and guessing the expiration date is not nearly as hard as the other information on the card. Anyway, I think your answer is still quite convincing, I'm just nitpicking. An wide-scale attacker may very well target a specific country by locking the first few digits, and then try some common names against its guessed numbers. – T. Verron Dec 15 '16 at 14:05
5

As another user has stated, per PCI-compliance rules, this is perfectly acceptable.

I wanted to clarify a bit exactly why things are this way. First off, the first six digits of the card number constitutes the BIN, a number which is considered "well-known". This is a number assigned to the institution that issued your card, and all other cardholders who are members of that institution share the BIN. So showing the BIN doesn't give an attacker any information he can't get simply by looking at the BIN list. Since obscuring the BIN provides only a marginal (some would say "trivial") amount of security, why mask it? The cleartext BIN is routinely used in payment processing, and masking it would create a lot more headaches for a nearly-zero increase in security.

Displaying the last four is typically the best compromise between displaying too much information and not enough information to uniquely identify the card when used for reconciliation, etc. If you work with credit card numbers a lot, you occasionally run across two identical masked card numbers, but with a 1/10,000 probability it does happen.

These two things taken together, you still are probably going to come back to the point "you're giving a data thief ten of the numbers, which reduces his search space to 1 million, and the checksum, which reduces it to 100,000!"

You have a valid point, but what does that mean? It means that the thief now has a list of 99,999 bad credit card numbers and 1 good one, with no way to tell which is the right one. The credit card number does not inherently carry any information that lets you know when you have the "right" number. It's not like solving a cryptographic puzzle; you must present the card for a payment to know if it's "good" or not. That means, to crack even ONE card, you have to compromise a merchant's payment platform and run an average of 50,000 transactions to find it. Considering merchants are charged per-transaction, it's greatly in their interest to ensure that someone can't do this sort of thing. And even if the merchant was a slouch in protecting his merchant account's credentials, payment processors often detect this sort of thing and shut the account off within seconds.

Jon Jenkins
  • 51
  • 1
-1

In the 90s you would have had to worry a little. Nowadays you do not, the cloning of the RFID chip, or obtaining the 3 digit security code and expiry date along with your card number is far more worrying than merely being able to "guess your card number".

In theory, I already know your card number due to the algorithm you mentioned, modulus 10 or Luhn. This information alone is worthless without the rest of the data. If the credit card receipt doesn't have it, you are fine.

Myles
  • 9
  • 4
    "I already know your card number due to the algorithm you mentioned, modulus 10 or Luhn" -- huh? A single check digit isn't going to make up for 6 missing digits. – Blorgbeard Dec 13 '16 at 19:52
  • But it's not just 6 digits. The first 4 of a credit card are pretty static too. There's the MII, the IIN, the Issuer code, the check digit, and some well known "extra codes" that tie to expiration date, issue date etc. etc. On a 16 digit credit card only about 9 digits are actually "yours" and even in those 9 there are some patterns that can be followed. – coteyr Dec 14 '16 at 18:03
  • @Blorgbeard i am guessing you didn't understand what was written. Using the algorithm, every single credit card number ever created can be generated. Without fail, i know every single credit card number in the world. However, i do not have the expiry or start dates OR the 3 check digits.....meaning just knowing the card number is of no consequence. Before replying, understand what it is your are replying to. – Myles Jan 03 '17 at 15:47
  • That's rubbish. You could randomly generate card numbers, but that doesn't mean you know which are actual, issued, numbers, let alone which is mine. – Blorgbeard Jan 03 '17 at 17:10
  • @Blorgbeard again you seem to have misunderstood what i am saying and happen to stumble upon exactly that which i am trying to portray. The exact thing i am saying is "i could generate every card in the world, one of which would be yours, but i wouldn't have any information to help me beyond the fact that i knew i had your card number in my list. Having the full credit card number is of no use to a fraudster as they need more information so whether or not the displayed numbers are displayed on the receipt doesn't matter". Hopefully you now understand. – Myles Jan 04 '17 at 09:20
-1

PAN number may range from 13 to 19 digit and as per the Payment Card Industry Data Security Standard the first six digit and the last four digit numbers of the PAN can be visible and the number in between the numbers should be masked

Thiyagu
  • 13
  • 6