Society of Payment Security Professionals Forum  

Go Back   Society of Payment Security Professionals Forum > Discussion Groups > PCI DSS Q&A
Reload this Page PCI DSS req. 3.3
Register FAQ Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 01-26-2009, 10:38 AM
vot_ol vot_ol is offline
Junior Member
  
Join Date: Jan 2009
Posts: 7
Default PCI DSS req. 3.3
Hi!
Question about req. 3.3

Our client uses 5 last digits when masks PAN when it displayed.

Is that correct? Which Payment Card Brand’s documents describe how PAN must be displayed?

Our client thinks that it is more secure than display the first six and last four digits.

Thank you!
Last edited by vot_ol; 01-26-2009 at 06:42 PM.
Reply With Quote
  #2  
Old 01-26-2009, 10:36 PM
cmark cmark is offline
Administrator
  
Join Date: Jul 2007
Posts: 169
Default
PCI DSS standard says first six and last four. With regard to customer receipts only the last four can be shown.

The last 5 is consistent with FACTA. If they can get by with only last 5, I would say they should talk with their acquirer, or QSA, or Visa, if appropriate. It is certainly more secure than the 6/4 stated but most companies would struggle with only the last 5. In there case not even the issuer id number is present.

Shouldn't be a problem quite frankly.
Reply With Quote
  #3  
Old 01-27-2009, 05:10 AM
jbhall56's Avatar
jbhall56 jbhall56 is offline
Senior Member
  
Join Date: Feb 2007
Location: Minneapolis, MN
Posts: 1,282
Default
Years ago our client's systems masked to the last five digits. Their rationale was because of the structure of American Express PANs. We went through the effort to discuss this with Visa and MasterCard to get special dispensation so they could avoid an expense change. Our client was ultimately told that the rules are the rules and were told to comply with the first six last four masking rule. This resulted in them undertaking a massive project (almost a year long and $500K in cost) to change databases, reports and screens.

I was hoping that because our client is fairly large, that it was just the perceived risk that drove this decision. However, since then we have had similar discussions with similar results, so be prepared to be told that you need to change even though I would agree with Chris that it should not be a big deal.
__________________
Jeff Hall, Director, Risk Advisory Services
RSM McGladrey Inc
801 Nicollet Mall, 11th Floor, West Tower
Minneapolis, MN 55402-2526
612 376 9280 - office
612 395 7280 - facsimile
www.mcgladrey.com

The views presented are those of the writer and are not necessarily those of RSM McGladrey Inc
Reply With Quote
  #4  
Old 01-27-2009, 05:34 AM
derra derra is offline
Member
  
Join Date: Nov 2007
Posts: 86
Default
Quote:
Originally Posted by vot_ol View Post
Hi!
Question about req. 3.3

Our client uses 5 last digits when masks PAN when it displayed.

Is that correct? Which Payment Card Brand’s documents describe how PAN must be displayed?

Our client thinks that it is more secure than display the first six and last four digits.

Thank you!

Document that describe how PAN should be masked: https://www.pcisecuritystandards.org...i_dss_v1-2.pdf

And under 3.3 as you mentioned it states clear what is allowed to be displayed.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 02:40 PM.

Contact Us - Society of Payment Security Professionals Forum - Archive - Top

Copyright (c) The Aegenis Group, Inc.