What should you be know about PAN data in PCI DSS?

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec

 

Introduction

PAN Number or Primary Account Number as we call it is a very sensitive data often used when making online payments or transactions. Customers often share this data with merchants from whom they purchase products or services online. However, customers do expect the merchants and financial institutes to protect the data and prevent incidents of threat. Storing the PAN data for most merchants is a necessity as they may have a legitimate business reason to store cardholder data. But storing PAN data has its share of risk on a business’s network security. Over the years businesses have been storing this data on their server for easy and quick access without realizing the risk it holds and the impact it may have on business.

In fact, most of the data breach incidents that have occurred over the years are due to the storage of unencrypted PAN data on the merchant’s/Service Provider’s servers. While the PCI Council clearly states not to store PAN data yet most merchants for increased consumer convenience store PAN data on their network. Storing customer’s PAN data increases the security risk and, also increases the scope of PCI compliance. So, unless businesses have a legit commercial reason to store PAN data, should not store it. Covering more on this in detail we have today shared details about PAN data and PCI DSS that businesses must know to ensure compliance. So, before getting straight to it let us understand the term PAN Data.

 

What is PAN Data?

PAN Data is basically the 15 or 16 digit numbers on the front of your debit/credit card which is also known as the Primary Account Number. They are also called payment card numbers and are often found on payment cards like credit and debit cards. The PAN account number is printed or embossed on the front of this payment card. The PAN number is issued by customers to merchants at the Point of Sale (POS) that identifies the issuer and the cardholder account while making payments. Customers when making an online purchase share the PAN number to make payments online. These PAN details are used by the merchants to process the payments online.

 

How does PAN Impact PCI DSS Compliance?

Payment Card Industry Data Security Standard clearly states that merchants dealing with online payments or accepting credit/debit card payments must avoid storing sensitive PAN numbers. The PCI DSS Requirement 3 addresses the protection of stored cardholder data. So, considering the storage of PAN data will automatically increase the scope of PCI DSS Compliance for the merchants. This way merchants will have to take additional measures for securing the stored PAN data in the network.

Storing unencrypted PAN data on the network will increase the potential risk of breach and end up having a significant impact on business. It is therefore necessary to secure PAN Data in form of encryption or other techniques as suggested in PCI DSS requirements. Explaining the requirement we have shared the PCI DSS data storage requirements in detail.

 

PAN Data storage in PCI DSS

Merchants may at times for commercial purposes may have to store PAN Data in their server. For these reasons, they will have to take extra precautions and implement additional measures to ensure the security of data and compliance with PCI DSS. The PCI Council outlines the requirement of encryption of cardholder data stored with the merchant. However, it is important to note that not all elements of cardholder need to be encrypted when stored on the server. It is only the PAN data that needs to be encrypted, the rest of the Sensitive Authentication Data (SAD) such as Stripe Data, are not allowed to be even stored by merchants.

What is more important to know and understand about PAN Data storage is that the only times that PAN is not considered to be cardholder data would be when details such as the the cardholder’s name and/or expiry date are not mentioned.  But this does not really happen and so merchants will have to implement measures to secure PAN data. Merchants must equip their data network to deal with PAN securely especially when it is transmitted at the POS.

Moreover, PCI DSS requirement 3.4 states that all merchants must use one of the following techniques to render PAN unreadable. This requirement applies when the PAN Data is stored or when the data is at rest anywhere including portable digital media, backup media, and logs. The techniques of rendering the PAN data unreadable includes

  • Strong cryptography of the PAN
  • PAN truncation (removal of the middle digits),
  • Index tokens and pads
  • Key-management processes

PCI DSS requirement 3.3 specifically requires the PAN data to be masked whenever on display. So, this way, the only digits of the PAN that may be visible are the first six and last four digits. With this only authorized businesses with legitimate commercial needs can see the rest of the information.

 

Final Thought

Despite all the clarity given in terms of the possible threat with storing PAN data nearly 65% of the merchants continue to store unencrypted PAN data on their servers and network. Further, what adds to the problem is that merchants are not able to handle and appropriately secure these stored PAN and cardholder data. Understanding the importance of PAN data and securing them is crucial. This is to prevent incidents of breach and theft. So, the only possible way to prevent this is by implementing measures of defense for handling such sensitive data. Ensuring that the PAN is  protected using one-way hashing or truncation methodologies is one way of assuring the customer’s security of the cardholder data. This way it would also help businesses ensure maintaining PCI DSS Compliance and securing sensitive data.

spot_img

Explore more