I completed the PCI Professional Certification (PCIP) today. It wasn’t very difficult actually, but this is coming from a guy who has gone through more than a dozen projects for PCI-DSS for clients ranging from merchant, service provider and bank, … Continue reading
In one of the more awkward consulting situation, I was sitting in a room where the technical lead of my client, along with his impressionable junior staffs started talking about Requirement 3 of PCI, which we all know is the … Continue reading
Over the course of MANY PCI-DSS projects, we have come across a fair bit of scenarios. From the shake-your-head unbelievable nonsense, such as the acquirer bank sending in full PAN over fax or email to our service provider, and then refusing to comply to PCI, to the often stated problem – we need to keep full PAN to identify the transaction so we can reconcile it later.
That last one is particularly grating. Because it forces our customer’s scope to be so large, so unnecessarily. One of the clients we are working with now, when asked, and asked and asked again, finally conceded that actually they don’t require Full PAN.
According to PCI Compliance 3rd Edition by Syngress:
Did you know that you only need four elements to uniquely identify any transaction in your enterprise, and one of those is not the full card number? These elements are as follows:
First six and last four (or just last four) digits of the card number,
Date and time of purchase,
Amount of purchase,
Customers who have used this method have never reported that two transactions matched these elements identically but had different card numbers.
I’ve always been saying that from day one. You don’t need full 16! The reason why people insist on it is that they or the service provider or the developers are just too lazy to change primary reference key to incorporate several parameters to identify a unique record. It’s laziness. So instead they take the most unique key and just use it, forcing compliance that could have easily been avoided. Unless you are an issuer or acquirer, you technically can avoid painful compliance controls if you just STOP obsessing over storing PANs!!
Almost a year in since PDPA was enforced last year, we are still faced with slow adoption by many of our clients. We are still getting questions on whether they need to ‘register’ or not, and if they don’t, they … Continue reading