The PCI Security Standards Council's redefined truncation rules are a mess.
One way to reduce the pain of PCI compliance is by only storing only a portion of the card number. This is called truncation. You can still show people the truncated number to see which card you are talking about, but the whole primary account number (PAN) is not saved. Systems storing only truncated card numbers have a limited scope in a PCI DSS evaluation.
Protection methods such as encryption, truncation, masking, and hashing are critical components of account data protection. If an intruder circumvents security controls and gains access to account data, the data is unusable.
The traditional truncation format is to store the first six and last four digits. Unfortunately, confusing new PCI SSC rules and guidance coupled with correspondingly confusing rules from the card vendors have created a bit of a mess.
What is truncation?
Truncation is a method of rendering a full PAN unreadable by removing a segment of PAN data. Truncation relates to the protection of PAN when electronically stored, processed, or transmitted. The traditional standard is to hold the first six and last four digits. Recently there have been changes to truncation guidance.
Is truncated data in-scope for PCI compliance?
If you follow the rules, then handling or storing truncated data does not bring a system into scope.
Is truncation the same as masking?
No, truncation and masking have different purposes. Masking is blanking numbers from view on a terminal or printed receipt. In the context of PCI DSS, it is a method of concealing a segment of data when displayed or printed. Masking is used when there is no business requirement to view the entire PAN. Masking relates to protection of PAN when displayed or printed.
Truncation is storing an abbreviated version of the PAN. For example, the first six and last digits. It is a method of rendering the full PAN unreadable by permanently removing a segment of PAN data. Truncation relates to the protection of PAN when stored in files, databases, etc.
Can we hash the card number instead?
Yes. Typically used to verify the integrity of a data, hashing is an algorithm that calculates a fixed-size bit string value from a file in a way that cannot be reversed.
Hashing the PAN does remove it from scope if it cannot be associated with encrypted PAN or truncated PAN. However, you cannot both hash and truncate the same card numbers. This would make it too easy to guess the missing digits of the truncated number.
What are the acceptable formats for truncating primary account numbers (PANs)? - How can I interpret new PCI SSC guidance?
The traditional truncation method keeps the first six and last four digits of the 16 digit PAN. That still works.
Late last year, the Council redefined truncation rules, and they are now a mess.
According to PCI guru Jeff Hall, "in December, the PCI SSC has given us an updated FAQ (#1091) on the subject of PAN truncation, and it will likely go down as the most confusing FAQ ever."
The FAQ starts simple enough with the statement:
"A maximum of the first six and last four digits of the PAN is the starting baseline for entities to retain after truncation, considering the business needs and purposes for which the PAN is used."
But it is the table that follows that gets messy.
It seems that each of the card brands has its take on PAN truncation based on PAN length and other factors. Only American Express has stayed the course. Based on the guidance for UnionPay, Visa, Mastercard, JCB and Discover, the idea of the first six/eight and ANY OTHER four is a bit bizarre, not to mention risky. Never mind the obvious warning note at the end of the FAQ that states:
"Access to different truncation formats of the same PAN greatly increases the ability to reconstruct full PAN, and the security value provided by an individual truncated PAN is significantly reduced. Suppose the same PAN is truncated using more than one truncation format (for example, different truncation formats are used on different systems). In that case, additional controls should be in place to ensure that the truncated versions cannot be correlated to reconstruct additional digits of the original PAN."
We would recommedn sticking with the good old first six and last four and avoid these other formats as you are likely setting yourself up for problems and PCI non-compliance.
According to the Council, "additional controls should be in place to ensure that the truncated versions cannot be correlated to reconstruct additional digits of the original PAN." The problem is that any given merchant or SP exposing some "other four" digits can't implement adequate controls because they can't know or control which numbers other merchants or SPs are revealing.
No one correlates leaked data taken from multiple sources! Said NO ONE EVER!" PCIGuru - Blog
PCI DSS compliance can be expensive. You can reduce effort and cost by relying on a vendor to deal with it for you. Let them deal with compliance so you can invest in your business. The Truvantis® team comprises PCI DSS experts and Qualified Security Assessors with extensive experience as a trusted partner for compliance and validation.
Outsource your payments, segment your networks, tokenize your data, use P2PE/E2EE solutions – all are great ways to reduce your costs. But the devil is in the details – contact Truvantis to make sure you get it right.