|
|
#1
06-25-2009, 02:31 AM
|
|||
|
|||
Why is protection of PAN required?
Hi,
Can some one please let me know why we try to protect/mask 16 digit number (PAN)? I was under the impression that there are few rogue web sites on the internet which permit fraudulent transactions by just providing the 16 digit number (PAN). Today, my client argued that VISA / Mastercard or any payment brand will not process the transaction until at least the expiry date is provided along with the PAN. Could some one give me details of such fraudulent transactions? I mean how does any one with access to only 16 digit number perform a fraudulent transaction or was I wrong? Apologies as I am new to PCI DSS Also, the client only accesses the PAN and there are few sections in the organization who have read access to the entire PAN although they can perform their function with access to the last 4 numbers. I suggested masking the information selectively for employees who do not need access to the entire 16digits. Any help in this regard is greatly appreciated!! Thanks in anticipation. 
|
|
#2
06-25-2009, 05:12 AM
|
|||
|
|||
|
Quote:
Last edited by rx.jeff; 06-25-2009 at 05:15 AM.
|
|
#3
06-28-2009, 08:21 PM
|
|||
|
|||
|
Thanks for the response jeff...But I am still not sure as to how can some one guess an expiry date by knowing all 16 digits. Are there references for this on the internet which I can read and understand further. I would appreciate if you could share them with me.
Also, are you sure that a fraudulent transaction cannot be done by using a 16 digit number alone? If so, can you please explain why it cannot be done? I apologize for asking these basic questions. As I mentioned earlier, I am new to PCI. Thanks in anticipation.
|
|
#4
06-28-2009, 11:32 PM
|
|||
|
|||
|
Depending on the type of transaction involved, and where you are in the world, expiry date may not be validated e.g. recurring subscriptions on occasion.
Normally, there are only 24 or 36 possible valid expiry dates for a 'live' card account number. Thats a lot easier to guess than several billion possible valid PAN values. Validated expiry - send a few low value transactions to some poor charity and let their payment engine slave over validating the PAN and expiry. btw, Address validation is not used in much of the world. lyalc
|
|
#5
06-29-2009, 09:56 PM
|
|||
|
|||
|
Hi!!!!thanks a lot for the response. Can you please give further clarification on your comments?
Quote:
Also, when you say recurring subscriptions, what are these subscriptions that you are referring to? Quote:
Quote:
I understand this probably is spoon feeding for me  , but I am totally new to all this. Hence any help is appreciated!! Also, is there any website where I can get more information on all this. If so, could you please provide the links/references (apart from google ofcourse  )Thanks in anticipation!
|
|
#6
06-30-2009, 03:41 AM
|
|||
|
|||
|
It was several years ago, pre-PCI when a client was able to submit some recurring payments without the expiry date being validated. i.e they didn't need to chase the customer to get updated expiry dates. Not sure of much beyond that at this distant time.
Cards are normally issued with a 2 or 3 year expiry date = 24/36 monthly expiry dates. In the USA, it is possible to do a form of address verification (at least to postcode, I think), reducing the potential for some fraud situations. Most of the real world doesn't support this for a variety of privacy and logistic issues around data collection and protection. Talk to your back, talk to a QSA, or someone with payment systems experience, a technical, business and transactional level. Aegenis and others have some merchant training on PCI, and will be helpful. lyalc Last edited by lyalc; 06-30-2009 at 03:42 AM. Reason: typo
|
|
#7
06-30-2009, 04:26 AM
|
||||
|
||||
|
Believe it or not, even in this age of heightened security awareness, some card brands authorize payments on the PAN only and ignore the supplied cardholder name and expiration date. I have seen a number of incidents where fraud has been committed with only the PAN being valid and the rest of the cardholder information was totally wrong.
To combat this, some merchants are now requesting CVV/CVC/CID and/or the cardholder's billing zip code. As Lyalc points out, there is also the issue of recurring payments that also sometimes gets a pass on all of the validation criteria. Typically recurring payments only require the cardholder name and the PAN.
__________________
Jeff Hall, Director, Risk Advisory Services RSM McGladrey Inc 801 Nicollet Mall, 11th Floor, West Tower Minneapolis, MN 55402-2526 612 376 9280 - office 612 395 7280 - facsimile www.mcgladrey.com The views presented are those of the writer and are not necessarily those of RSM McGladrey Inc
|
|
#8
06-30-2009, 11:56 AM
|
|||
|
|||
|
In petroleum you see a lot of "Address Verification" using the zip code, and you encounter a lot of "velocity" settings as well.
Basically, the merchant decides how many times your card will work in a 24 hour period. If the velocity setting is 1, then the merchant will only authorize your card 1 time (outside at the pump) in a given day. When gas prices are high and your car has a large capacity tank, this is why you sometimes get the "See Clerk" message when you try to swipe it again to complete a fill-up. Velocity combats the guy standing in the fuel island with a stolen card. He'll offer to fill your car with his card if you give him $20 cash.. etc. Sometimes they make up a story about needing cash and their ATM card is dry, and sometimes they are up-front about being thieves.
|
|
#9
07-15-2009, 09:59 AM
|
|||
|
|||
|
Quote:
For Expiration date, a few will do an exact match on the MM and YY values supplied other's will look to see if the provided date is > then the expdate on file. which will detected an expired card, nothing more.
|
|
#10
07-20-2009, 03:42 AM
|
|||
|
|||
|
1. Samuel Clemens (Mark Twain) was born on and died on days when Halley's Comet can be seen. During his life he predicted that he would die when it could be seen.
2. US Dollar bills are made out of cotton and linen. 3. The "57" on the Heinz ketchup bottle represents the number of pickle types the company once had. 4. Americans are responsible for about 1/5 of the world's garbage annually. On average, that's 3 pounds a day per person. 5. Giraffes and rats can last longer without water than camels. 6. Your stomach produces a new layer of mucus every two weeks so that it doesn't digest itself. 7. 98% of all murders and rapes are by a close family member or friend of the victim. 8. A B-25 bomber crashed into the 79th floor of the Empire State Building on July 28, 1945. 9. The Declaration of Independence was written on hemp (marijuana) paper. 10. The dot over the letter "i" is called a tittle.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
