0

Note: it is not really a masked PAN as nothing is masked so to speak.

For testing purposes, I need users to only submit their first 6 and 4 last digits of their CC. At no point at all will they submit their full PAN or any other card data. Is it ok to store the first 6 and last 4 digits?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Daan
  • 1
  • According to the basics document, first 6 and last 4 are specifically called out as being ok: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf – schroeder Oct 25 '19 at 12:51
  • While the question is not a full duplicate, the answers cover your needs. – schroeder Oct 25 '19 at 12:54
  • I cannot refer you to masking rules since you mention that nothing is really masked, just limited information is derived from the users.

    But considering that displaying the first 6 digits and the last 4 digits of a CC are compliant with PCI DSS rules, I don't think there is an issue with storing them as is.

    However, I would suggest that you only store what is really required to be stored, there is no need to store the first six digits and the last four if it isn't absolutely necessary, for best practice.

     – s h a a n Oct 25 '19 at 12:55
  • Thank all, yes I read all PCI documents but I just wanted to make sure as I will not be masking anything merely storing limited information derived from users. We will be deleting all records once there is no more need for them (quaterly cleanup or somehting like this). Thanks for the help, my end take away from this is that I can store as is wihtout the need of any encryption etc (bearing in mind that is always better to limit info storage to the necessary) – Daan Oct 25 '19 at 13:03

0 Answers0