Axel Gromann
02-14-2007, 02:09 PM
Query regarding discrepancy between “PCI DSS – Security Audit Procedures” item 3.3 and “PCI Self Assessment Questionnaire” item 3.4
Hi!
Please note that we have come across a discrepancy between the above. The audit procedures stipulate that masking of PAN should be in line with the following: “the first six and last four digits are the maximum number of digits to be displayed”, while the Questionnaire asks whether “all but the last four digits of the account number (are) masked”.
The latter being the no doubt more secure, the self assessing party would fail if it were to adhere to the audit procedure requirements and displayed the first six and last four.
Please advise whether this is/has been addressed and confirm the prudent course of action.
Right now I would take the stance that the QSA should use his better judgement and let the questionnaire item pass as adequate if the fist six and last four are displayed, since this is the standard’s requirement and was stipulated as such in the course.
Quotes out of “PCI DSS – Security Audit Procedures” item 3.3 and “PCI Self Assessment Questionnaire” item 3.4 as follows:
PCI DSS – Security Audit Procedures
3.3
Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).
PCI Self Assessment Questionnaire
3.4
Are all but the last four digits of the account number masked when displaying cardholder data
Thanks,
Ax.
Hi!
Please note that we have come across a discrepancy between the above. The audit procedures stipulate that masking of PAN should be in line with the following: “the first six and last four digits are the maximum number of digits to be displayed”, while the Questionnaire asks whether “all but the last four digits of the account number (are) masked”.
The latter being the no doubt more secure, the self assessing party would fail if it were to adhere to the audit procedure requirements and displayed the first six and last four.
Please advise whether this is/has been addressed and confirm the prudent course of action.
Right now I would take the stance that the QSA should use his better judgement and let the questionnaire item pass as adequate if the fist six and last four are displayed, since this is the standard’s requirement and was stipulated as such in the course.
Quotes out of “PCI DSS – Security Audit Procedures” item 3.3 and “PCI Self Assessment Questionnaire” item 3.4 as follows:
PCI DSS – Security Audit Procedures
3.3
Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).
PCI Self Assessment Questionnaire
3.4
Are all but the last four digits of the account number masked when displaying cardholder data
Thanks,
Ax.