1

I have a fraud detection system.

From the client side (browser) I want to receive the store BIN section of the card number (first 6 digits) and if possible also the last 4 digits

Besides the above, I do not process or store credit card number (or any other payment method). I also don't process or store any personal information (don't get user name / email / ID number etc.)

So, my question is: In my case as described above, if only storing the first 6 digits (and if possible also the last 4) - do I need to comply with any PCI (or other regulation) requirements?

It seems that storing only a fragment of the whole PAN is not under the scope of PCI (https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-truncated-Primary-Account-Numbers-PAN-required-to-be-protected-in-accordance-with-PCI-DSS), unless my systems is considered as a "connected system". So, if the client side where the user fills the credit card number, sends to my system only the BIN - should my system be considered as a "connected system" ?

Thanks!

Ran Wasserman
  • 19
  • 3

1 Answers1

2

So, if the client side where the user fills the credit card number, sends to my system only the BIN - should my system be considered as a "connected system" ?

No. The phrase "connected system" in PCI has a specific meaning, to quote DSS 3.2.1 "Scope of PCI DSS Requirements":

The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment.

"Connected" means that you're a Merchant or a Processor or some other entity that has a Cardholder Data Environment. The CDE is fundamentally in scope, and the systems "connected" to that environment are also in scope as a result of that connection.

If you are not a Merchant, and not gathering PAN, then you are not in scope for PCI DSS. (You want to be careful, though; I would ask the user for first 6 and last 4 and not have them type in the full PAN even if your code intends to discard the middle.)

gowenfawr
  • 72,893
  • 17
  • 165
  • 200