2

I'm looking at a solution that requires us to capture and send the first 12 digits of a customers PAN in order to initiate a transaction that will be finalized by the customer at a later stage with an external payment processor.

A transaction log will be generated with the 12 first digits.

Would this be ok from a PCI-DSS point of view or would it require us to fully comply with PCI-DSS requirements?

Kalle Kula
  • 21
  • 1

2 Answers2

2

In my knowledge PCI-DSS it is pretty clear on two principals:

  1. Avoid where ever possible card data at rest (in storage).
  2. And if the card number must be displayed at all, as @paulg indicates first 6 and last 4 are acceptable and not more. Which is only 10 digits leaving normally 6 digits unknown. Your 12 leaves only 4 digts unknown.
miltonb
  • 6,905
  • 8
  • 45
  • 55
-2

PCI does allow this in order to allow for customer service computer searches such that the cardholder might be on the phone and ask for the first 8 digits of the credit card number in order to find a given customer or transaction - the PCI people understand that you cannot do an efficient customer/transaction search by decrypting each and every credit card number you have on a system to perform a search for a match. But I think I would regard the fact that you are allowed to store part of the credit card number unencrypted as applying only if you are meeting PCI-DSS requrements in all the other areas covered by PCI-DSS.

Ron Robinson
  • 558
  • 1
  • 3
  • 8
  • 1
    Do you have a source for that Ron? My understanding is that PCI allows first six, last four digits only in plain text. For fast lookups you use a hashed version of the card number – PaulG Nov 19 '12 at 10:12