PCI DSS req. 3.3 [Archive] - Society of Payment Security Professionals Forum

vot_ol

01-26-2009, 10:38 AM

cmark

01-26-2009, 10:36 PM

PCI DSS standard says first six and last four. With regard to customer receipts only the last four can be shown.

The last 5 is consistent with FACTA. If they can get by with only last 5, I would say they should talk with their acquirer, or QSA, or Visa, if appropriate. It is certainly more secure than the 6/4 stated but most companies would struggle with only the last 5. In there case not even the issuer id number is present.

Shouldn't be a problem quite frankly.

jbhall56

01-27-2009, 05:10 AM

Years ago our client's systems masked to the last five digits. Their rationale was because of the structure of American Express PANs. We went through the effort to discuss this with Visa and MasterCard to get special dispensation so they could avoid an expense change. Our client was ultimately told that the rules are the rules and were told to comply with the first six last four masking rule. This resulted in them undertaking a massive project (almost a year long and $500K in cost) to change databases, reports and screens.

I was hoping that because our client is fairly large, that it was just the perceived risk that drove this decision. However, since then we have had similar discussions with similar results, so be prepared to be told that you need to change even though I would agree with Chris that it should not be a big deal.

derra

01-27-2009, 05:34 AM

Hi!
Question about req. 3.3

Our client uses 5 last digits when masks PAN when it displayed.

Is that correct? Which Payment Card Brand’s documents describe how PAN must be displayed?

Our client thinks that it is more secure than display the first six and last four digits.

Thank you!

Document that describe how PAN should be masked: https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

And under 3.3 as you mentioned it states clear what is allowed to be displayed.