Hi,

Can some one please let me know why we try to protect/mask 16 digit number (PAN)? I was under the impression that there are few rogue web sites on the internet which permit fraudulent transactions by just providing the 16 digit number (PAN). Today, my client argued that VISA / Mastercard or any payment brand will not process the transaction until at least the expiry date is provided along with the PAN. Could some one give me details of such fraudulent transactions? I mean how does any one with access to only 16 digit number perform a fraudulent transaction or was I wrong? Apologies as I am new to PCI DSS

Also, the client only accesses the PAN and there are few sections in the organization who have read access to the entire PAN although they can perform their function with access to the last 4 numbers. I suggested masking the information selectively for employees who do not need access to the entire 16digits.


Any help in this regard is greatly appreciated!!

Thanks in anticipation.

Hi,

Can some one please let me know why we try to protect/mask 16 digit number (PAN)? I was under the impression that there are few rogue web sites on the internet which permit fraudulent transactions by just providing the 16 digit number (PAN). Today, my client argued that VISA / Mastercard or any payment brand will not process the transaction until at least the expiry date is provided along with the PAN. Could some one give me details of such fraudulent transactions? I mean how does any one with access to only 16 digit number perform a fraudulent transaction or was I wrong? Apologies as I am new to PCI DSS

Also, the client only accesses the PAN and there are few sections in the organization who have read access to the entire PAN although they can perform their function with access to the last 4 numbers. I suggested masking the information selectively for employees who do not need access to the entire 16digits.


Any help in this regard is greatly appreciated!!

Thanks in anticipation.

If you don't protect the PAN, it is actually easier to guess the expiration with 4 digits as opposed to guessing the 6 that is masked + the 4 expiration digits. So in masking the PAN, it would be much harder to guess 10 digits as opposed to a the 4 digits of the expiration date (which you can further narrow down to 'future month and year dates').

Thanks for the response jeff...But I am still not sure as to how can some one guess an expiry date by knowing all 16 digits. Are there references for this on the internet which I can read and understand further. I would appreciate if you could share them with me.

Also, are you sure that a fraudulent transaction cannot be done by using a 16 digit number alone? If so, can you please explain why it cannot be done? I apologize for asking these basic questions. As I mentioned earlier, I am new to PCI.

Thanks in anticipation.

Depending on the type of transaction involved, and where you are in the world, expiry date may not be validated e.g. recurring subscriptions on occasion.

Normally, there are only 24 or 36 possible valid expiry dates for a 'live' card account number.
Thats a lot easier to guess than several billion possible valid PAN values.
Validated expiry - send a few low value transactions to some poor charity and let their payment engine slave over validating the PAN and expiry.

btw, Address validation is not used in much of the world.

lyalc

Hi!!!!thanks a lot for the response. Can you please give further clarification on your comments?

Depending on the type of transaction involved, and where you are in the world, expiry date may not be validated e.g. recurring subscriptions on occasion.

Can you please give me examples of the places where it probably is not validated? If it is not validated at the time of making the online purchase, then is there no validation happening at the bank's end for funds transfer??

Also, when you say recurring subscriptions, what are these subscriptions that you are referring to?

Normally, there are only 24 or 36 possible valid expiry dates for a 'live' card account number.

Can you please tell me how you arrived at these figures (24/36)?

Thats a lot easier to guess than several billion possible valid PAN values.
Validated expiry - send a few low value transactions to some poor charity and let their payment engine slave over validating the PAN and expiry.

btw, Address validation is not used in much of the world.

lyalc

Address validation??

I understand this probably is spoon feeding for me :D, but I am totally new to all this. Hence any help is appreciated!! Also, is there any website where I can get more information on all this. If so, could you please provide the links/references (apart from google ofcourse :o)

Thanks in anticipation!

It was several years ago, pre-PCI when a client was able to submit some recurring payments without the expiry date being validated. i.e they didn't need to chase the customer to get updated expiry dates. Not sure of much beyond that at this distant time.

Cards are normally issued with a 2 or 3 year expiry date = 24/36 monthly expiry dates.

In the USA, it is possible to do a form of address verification (at least to postcode, I think), reducing the potential for some fraud situations. Most of the real world doesn't support this for a variety of privacy and logistic issues around data collection and protection.

Talk to your back, talk to a QSA, or someone with payment systems experience, a technical, business and transactional level. Aegenis and others have some merchant training on PCI, and will be helpful.

lyalc

Believe it or not, even in this age of heightened security awareness, some card brands authorize payments on the PAN only and ignore the supplied cardholder name and expiration date. I have seen a number of incidents where fraud has been committed with only the PAN being valid and the rest of the cardholder information was totally wrong.

To combat this, some merchants are now requesting CVV/CVC/CID and/or the cardholder's billing zip code.

As Lyalc points out, there is also the issue of recurring payments that also sometimes gets a pass on all of the validation criteria. Typically recurring payments only require the cardholder name and the PAN.

In petroleum you see a lot of "Address Verification" using the zip code, and you encounter a lot of "velocity" settings as well.

Basically, the merchant decides how many times your card will work in a 24 hour period. If the velocity setting is 1, then the merchant will only authorize your card 1 time (outside at the pump) in a given day. When gas prices are high and your car has a large capacity tank, this is why you sometimes get the "See Clerk" message when you try to swipe it again to complete a fill-up.

Velocity combats the guy standing in the fuel island with a stolen card. He'll offer to fill your car with his card if you give him $20 cash.. etc. Sometimes they make up a story about needing cash and their ATM card is dry, and sometimes they are up-front about being thieves.

Believe it or not, even in this age of heightened security awareness, some card brands authorize payments on the PAN only and ignore the supplied cardholder name and expiration date.

From my experience: Track 1 is rarely sent, I haven't seen it it many many years, Track 2 which only contains AccountNumber, Expdate, Service Code, etc doesn;t include the cardholder name. Card Holder name is not used by issuers.

For Expiration date, a few will do an exact match on the MM and YY values supplied other's will look to see if the provided date is > then the expdate on file. which will detected an expired card, nothing more.

1. Samuel Clemens (Mark Twain) was born on and died on days when Halley's Comet can be seen. During his life he predicted that he would die when it could be seen.
2. US Dollar bills are made out of cotton and linen.
3. The "57" on the Heinz ketchup bottle represents the number of pickle types the company once had.
4. Americans are responsible for about 1/5 of the world's garbage annually. On average, that's 3 pounds a day per person.
5. Giraffes and rats can last longer without water than camels.
6. Your stomach produces a new layer of mucus every two weeks so that it doesn't digest itself.
7. 98% of all murders and rapes are by a close family member or friend of the victim.
8. A B-25 bomber crashed into the 79th floor of the Empire State Building on July 28, 1945.
9. The Declaration of Independence was written on hemp (marijuana) paper.
10. The dot over the letter "i" is called a tittle.