Hi all,

One of our clients is distributing the last 10 digits of the PAN ( except BIN ) to another party as part of the point redemption programe. This in turn avoided our client and the third party to avoide being PCI DSS Compliant as the full PAN is in no way sent .

Considering know how easy it to get the BIN/IIN , is it in way a non compliant to PCI DSS , in addition to the normal risk the process carry

In order for it to NOT be considered cardholer data you need to remove all but the first six (6) and last four (4) digits. Technicaly the last 10 digits is still considered cardholder data.

In this instance I would identify the business need for the last 10 digits and identify another unique identifier, such as a secure hash.