acra
acra copied to clipboard
cossacklabs
[ISSUE] PAN masking does not meet the PCI SSC requirements
Describe the bug At the core, it is not a problem but an inconvenience. The PAN masking is a double edged sword. If you mask too much, then sometimes it blocks some business functions. If you mask too less, then you are non-compliant. In order to be able to tailor according to the regulations, one needs to have multiple settings in masking, such as left-6, right-4 -the most common and accepted one. But currently the only option is to pick either left or right.
The configuration can include both left and right settings to provide fine-tuned masking.
Additional context
Reference: https://www.advantio.com/blog/8-digit-bin-how-does-it-affect-pci-dss-compliance
| PAN (16 digits) | Display BIN and last four digits | Storage (truncation) BIN and any other four digits |
|---|---|---|
| 426398******9299First six (6) and last four (4) digits | YES, for 6 and 8-digit BINs | YES, for 6 and 8-digit BINs |
| 42639826******99First eight (8) and last two (2) digits | YES, for 8-digit BINs | YES, for 6 and 8-digit BINs |
| 42639826****9299First eight (8) and last four (4) digits | YES, but requires a list of roles that need access to displays of more than BIN and last four and a legitimate business need for each role to have such access. | YES, for 6 and 8-digit BINs |
| 4263982640******First ten (10) digits | YES, for 8-digit BINs | YES, for 8-digit BINs |
| 426398264026****First twelve (12) digits | YES, but requires a list of roles that need access to displays of more than BIN and last four and a legitimate business need for each role to have such access. | YES, for 6 and 8-digit BINs. |
| 42639826***69299First eight (8) and last five (5) digits | NO |
A good one, thank you!
Acra Enterprise Edition supports custom mask formats, but we will think about porting PAN mask format to Acra CE.
