0

Can I separately store 8-digit BINs and truncated (6/4) PANs outside of my CDE?

Truncated PANs are no more than the first 6 and last 4 digits of PAN, compliant to the standard's section 3.4, but it only says:

The intent of truncation is to permanently remove a segment of PAN data so that only a portion of the PAN is stored.

from which I am not sure if it's still allowed to have the first 8 digits separately, for other purposes, let's say, to maintain a mapping from BIN to bank name.

Current standard: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

Also a note from https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-are-acceptable-formats-for-truncation-of-primary-account-numbers and https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-truncated-Primary-Account-Numbers-PAN-required-to-be-protected-in-accordance-with-PCI-DSS which makes sense but I didn't find anything similar in the standard:

Access to different truncation formats of the same PAN greatly increases the ability to reconstruct full PAN, and the security value provided by an individual truncated PAN is significantly reduced. If the same PAN is truncated using more than one truncation format (for example, different truncation formats are used on different systems), additional controls should be in place to ensure that the truncated versions cannot be correlated to reconstruct additional digits of the original PAN.

I checked related Q&As, none of which mentions 8-digits:

Dan Oak
  • 103
  • 3
  • 1
    8-digit BIN (IIN) was added to ISO only in 2017, and changes in the financial industry are slow; neither MC or Visa requires implementation until 2022. DSS 3.2.1 was only a 'minor' update to 3.2, which was adopted in 2016 (and had been in development a while before that). The first opportunity for significant change is 4.0, [not expected before late this year](https://blog.pcisecuritystandards.org/3-things-to-know-about-pci-dss-v4-0-development) – dave_thompson_085 Jan 31 '20 at 05:36

2 Answers2

1

It follows directly from PCI DSS requirement 3.4 that PANs are the defining entity for the CDE system and truncation is the normal mode of storage.

But even if you would store them somewhere which you define not to be the CDE the DSS will still apply to that, as it is a connected system and DSS regulations will apply to the system and processes anyway.

I don't think BINs alone have this problem/requirement, but be very careful I would never extract the from existing PANs but maintain them from external sources. Especially if you are unsure if they are 6 or 8 digits. (This way it might not be a connected system).

eckes
  • 962
  • 8
  • 19
  • Sorry, I might mislead by question. Reformulated. So basically if I store truncated PANs I fall under DSS, but does it mean I must store it in CDE and what if I store same PANs applying multiple truncation methods separately? Like in my example: **first-8** & **first-6-last-4**. – Dan Oak Jan 30 '20 at 22:47
  • 1
    It is the other way around, everywhere you store the PAN it's a CDE. And they discourage multiple truncations. However it can be argued that storing BINs with no link to PANs is not a (truncated) PAN and does not weaken truncation – eckes Jan 30 '20 at 22:49
  • 1
    It is BTW not clear why PCI does not allow to show the last two digits for a 8 digit BIN in PANs - but all their truncation rules specifically call for leading 6 digits only. Maybe it is for security to never risk exposing for 6 digit BINs – eckes Jan 30 '20 at 22:54
  • Wait, so even truncated PAN has to be stored in CDE? – Dan Oak Jan 30 '20 at 22:55
  • 1
    The place where you store PANs is the CDE and you can only store them encrypted, hashed or truncated. It is best to not se them at all. – eckes Jan 30 '20 at 22:59
  • 1
    Although this article states otherwise. But it does mention that storing with different truncations increases vulnerability https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-truncated-Primary-Account-Numbers-PAN-required-to-be-protected-in-accordance-with-PCI-DSS. I guess first-8 is still a truncation. – Dan Oak Jan 30 '20 at 23:12
1

You've found the two FAQs that are relevant. The FAQs have the same authority as the standard, they expand and clarify it but are written, reviewed and approved by the working group that also writes the DSS. There are two issues.

  1. Does a correctly truncated PAN require the protection of all the DSS requirements? The answer is NO - FAQ 1117. BUT as @eckes correctly points out, you need to make sure the environment that contains just the truncated PANs is not "connected to" your CDE.

  2. Can you keep an 8 digit BIN when you truncate a 16-digit PAN? The answer is YES - FAQ 1091. You can retain "first 6, any other 4" -- so that can be NNNN NNNN **** **NN

  3. Can you keep two truncated PANs: a first 8 last 2 and a first 6 last 4 in the same environment? The answer is NO unless you want that environment to be in scope of all PCI DSS requirements because basically you're storing the first 8 last 4, which doesn’t meet the truncation requirement.

withoutfire
  • 1,000
  • 4
  • 7