Information Security
pci-dss credit-card pci-scope
Updated Thu, 14 Jul 2022 01:09:22 GMT

PCI-DSS compliance in scope if part of card number and expiry stored only?


If we were to store the following information about a credit card, would we need to be PCI-DSS compliance or are we out of scope? Please assume for the purposes of this question that we only store this information and don't actually process any credit card payments at all.

  1. Card BIN (first 6 digits)
  2. Card last 4 digits
  3. Expiry date



Solution

IANAQSA! That data doesn't put you in scope, but you're probably in scope anyway, but dint of whatever relationship you're in that gets you access to that non-scoped data.

To quote PCI-DSS 3.2 (emphasis as per source):

The primary account number is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements.

If you never have the full Primary Account Number, then you do not have cardholder data. That is not to say that you're not subject to the DSS, however. Even a merchant who outsources all handling of their card data to their service provider is subject to something like the SAQ A (Self Assessment Questionnaire).

What you're describing (first 6, last 4) is called Truncation and is described in section 3.4 of the DSS. So someone - your service provider? - is truncating card numbers and handing those to you in lieu of card numbers. If that's the case, your service provider should be authoritative for helping you figure out what your scope is under the DSS.

It comes down to this:

PCI DSS applies to all entities involved in payment card processingincluding merchants, processors, acquirers, issuers, and service providers.

Do those truncated numbers put you in scope? No. If you're receiving truncated numbers, are you likely in a relationship that makes you subject to the PCI DSS as above? Very likely, yes.





Comments (1)

  • +0 – Thank you, that was very helpful and better explained for me to understand than some of the other questions linked to. — May 16, 2016 at 14:01  


External Links

External links referenced by this document: