Several Founders, Co-Founders, CXO Bankers, CXO Fintech professional & people who participated in the ePanel discussions:
- Mr. P D Singh, Former General Manager, Bank of Baroda
- Mr. Ravi Kadam, Chief Technology Officer & Co-founder, Benow
- Mr. Abhishek Arun, Senior Vice President, Paytm
- Mr. Rahul Dayal, Senior Vice President & Head-Business Solutions Group Liabilities, cards & BI, RBL Bank
- Mr. Hemal Shah, Technical Product Manager, Mastercard
- Ms. Arushi Govil, Senior Manager – Legal, PayU Payments Pvt. Ltd
- Mr. Vishal Kanvaty, Senior Vice President – Product & Innovation, NPCI
- Mr. Vikas R Panditrao, Co-founder, Forum of Industry Academic Knowledge Sharing (FIAKS)
- Many other CEO/CXO Bankers & Fintech professionals on FIAKS Forum requested to remain anonymous
PAN- Primary Account Number, is a vital part of cardholder data that is compulsory to be protected, as per PCI DSS guidelines. PAN masking is one way to protect this data, by displaying only first 6 and last 4 digits of the card number. This is done so as to allow only authorized personnel to access cardholder data. It seems CitiBank is following a reverse method- literally!
A FIAKS member reported how their Citibank ATM withdrawal receipt showed the first 4 and the last 6 digits of the card number. This does not match PCI’s PAN masking and truncation guidelines. FIAKS put this topic up for discussion to all its members.
One member said that as long as the full PAN is not shown, it should be fine. PCI DSS has put down a guideline, not a mandate, regarding the showing of first 6 and last 4 digits. The mandate is for PAN truncation. A question was raised on this statement whether PCI DSS standards allow flexibility in masking of digits. Could the banks mask any 6 and 4 digits? What if a bank decided to mask the middle 10 digits- would that be okay?
A member replied that as per their knowledge, the first 6 digits indicated card association, credit card/debit card, and the issuer bank. Randomly masking digits and displaying the rest is not allowed. A FIAKS community member shared the following update on PCI Standard-
“What the PCI DSS says (Requirement 3.3): Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN. This requirement relates to the protection of PAN displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.4 for protection of PAN when stored in files, databases, etc. This is the maximum that the DSS allows. More than that can be used to reconstruct the PAN.”
Another member confirmed that the first 6 digits are the Bank Identification Number.
“The masking approach should always ensure that only the minimum number of digits is displayed as necessary to perform a specific business function. For example, if only the last four digits are needed to perform a business function, mask the PAN so that individuals performing that function can view only the last four digits. As another example, if a function needs access to the bank identification number (BIN) for routing purposes, unmask only the BIN digits (traditionally the first six digits) during that function.”, summarised one contributor.
A lot of members supported this statement, saying that only the first 6 and last 4 digits can be shown, while the middle 6 digits should not be exposed. The first six digits are for bank identification, and the last four digits are for the customer to identify his/her card.
Others were still confused if the PCI DSS guidelines were to ensure showing the minimum number of digits, and as long as the full PAN wasn’t visible, it should be alright.
One member turned the tables by questioning why should India even follow PCI DSS guidelines. He stated that China doesn’t, and their transactions are still secure. PCI compliance increases cost-especially certification.
Register and Read the entire discussions