Truncated PAN must be protected according to PCI DSS requirements. Instructions for truncating the PAN are described in PCI DSS, specifically PCI DSS requirement 3.4.
PCI DSS requirement 3.4 specifies that the PAN must be made unreadable wherever it is stored. In addition, PCI DSS sets out acceptable methods that can be used to meet this requirement. Truncating the entire PAN includes strong one-way hash functions, index tokens with securely stored pads, or strong encryption.
A security compromise of cardholder account data could occur if the PAN is not truncated correctly. It’s critical to understand the requirements for PAN truncation if your company works with digital payments, stores PAN, or creates payment systems that store PAN.
Truncating can be defined as the act of shortening something and is an acceptable method of making it unreadable if you are storing cardholder data.
It’s worth noting that truncation is a permanent operation instead of PCI DSS requirement 3.3, which mandates masking the PAN while it’s presented. Although truncation means making the PAN unreadable when stored, PCI DSS requirement 3.3 mentions the temporary masking of data when card data is displayed on paper receipts or screens.
According to the PCI Council, there are multiple truncation methods acceptable, which we will discuss in detail below.
What are the acceptable formats for truncating primary account numbers (PANs)?
PAN and other cardholder data should only be stored if they are required for legal, business, or regulatory reasons. Eliminating cardholder data storage is an easy way to avoid dealing with PCI DSS requirement three and reduce the overall scope of a PCI DSS audit.
The PCI DSS expressly warns against masking truncated PAN with a hybrid version of complete PAN. If attackers have access to both the shortened and mixed versions of the complete PAN, reconfiguring the entire PAN can be simple.
PAN is available in either form; you must implement additional security controls to ensure that data is not regenerated. This also applies if there are multiple trimmed versions of PAN stored on the same media.
The truncated PAN can replace data with an “x” or “0” in place of the truncated middle digits. More importantly, the hash cannot be used to replace the truncated segment of the PAN. The advantage is that if the transaction is stopped, the encrypted card data is unreadable. Except for the processor who has the decryption key, the data has no meaning.
The industry practice is to eliminate the middle six digits, but the standards for each major card brand range slightly. Organizations seeking flexibility in this area should review the individual requirements for each card brand.
PCI DSS-acceptable truncation formats vary with PAN length and Payment Brand requirements.
- The maximum first six and last four digits of the PAN are the initial basis for organizations to keep after the truncation, considering the business needs and purposes for which the PAN is used.
- When more PAN digits are required for business functions, organizations should refer to the table below for acceptable formats for each Payment Brand.
The table below specifies acceptable truncating patterns for each payment brand by PAN and BIN length. As each payment brand has different PAN and BIN lengths and requirements, questions about payment brand truncation requirements should be directed to the respective payment brands.
- If you use truncation for purposes other than storage, you must verify that their formats are compatible with each applicable Payment Brand.
- Access to different truncation formats of the same PAN dramatically increases the ability to reconstruct the entire PAN. The security value provided by a separate truncated PAN is significantly reduced.
- Suppose the same PAN is truncated using more than one truncation format. In that case, additional checks should be available to reconstruct the other digits of the original PAN so that the truncated versions cannot be correlated.
As payment brands will complete the 8-digit BIN transition as of April 2022, necessary measures to identify the BIN and the customer through PCI DSS card number.
With Bank Identification Numbers (BINs) increasing from six digits to eight digits, there are some issues on the PCI DSS compliance side with showing the first eight and last four of the PAN instead of the first six and final four when stored.
Because if the truncation rule were changed to allow the first eight and last four digits to be stored, it would weaken security by reducing the remaining number of digits to be estimated.
PCI recommends that at least six digits should be truncated or encrypted to protect data at rest. If you use truncation as the only method of complying with the PCI requirement to protect data at rest and you want to display the last four digits in addition to the eight-digit BIN, it must additionally use acceptable methods of data protection such as encryption, hashing, or tokenization.
In short, if the card number is to be masked in the database as the first eight and last four digits, a second factor must be used in addition to masking.
What are the 8 Digit BIN Support Dates by Payment Brands?
Visa and Mastercard confirmed that they support the ISO’s revised guidance and plan to adopt the new standard in 2022. Both networks specified that acquirers and acquirer processors should be ready to operate in 8-digit BINs.
After April 2022, Visa will only issue 8-digit BINs. Mastercard will issue 8-digit BINs after April 2022 but has not set a date to stop issuing 6-digit BINs.
Mastercard also announced that by 2022, issuers would need to activate account ranges, and buyers should be ready to operate in 8-digit BINs and 11-digit account ranges.
Other major networks, including American Express, Diners Club, Discover, and China Union Pay, have not announced timelines for adopting the new 8-digit BIN.