I need to present, for user, last 4 digits of credit card attached to our system (as skype does for example). It should look like:
We will charge your card xxx-xxx-xxxx-1234
For authorizing and charging CD we use some 'Payment Gateway'. Unfortunately they do not have any API which based on transaction number can return me that data. Is it legal to keep last 4 digits in my local DB, and is it ok according to PCI?
Or maybe there is a difference way to do that.
The defining point for PCI is whether or not the primary account number is present (stored, processed or transmitted).
The PAN is 16-19 digits long. A truncated/masked PAN shows AT MOST the first six and last four digits. It can show less providing it's of those subsets.
In the case you mentioned you are only talking about the last four digits. This is not counted as a PAN so PCI does not apply and you are perfectly allowed to store and display these digits.
However, don't forget about where you are getting the digits from. If your processor returns the full PAN and you do the substitution/masking then you will need to take account of PCI as you will be transmitting (receiving) and processing the PAN even if you're not storing it.
Here is it :)
We will charge your card:
<% card_info_xxx = @card_info.card_number.length - 4
1.upto(card_info_xxx) { concat 'x'.squish }
%><%= @card_info.card_number[-4..-1] %>
