Protecting PAN According to PCI DSS Rules

PAN featured

It’s crucial that any company handling consumer cardholder information, including card numbers, protect that information from any and every unauthorized user. The PCI Security Standards Council has determined that to promote security and usability, it’s not enough to secure a system perimeter and encrypt data. Instead, companies have to approach data obfuscation through a series of requirements that protect it from theft while allowing the company to utilize it for regular commercial purposes. 

Here, we’ll discuss Primary Account Numbers (PAN) and how you must protect them under PCI DSS.


What Are Primary Account Numbers?


Primary Account Numbers, or PANs, are unique identification number sequences generated by card providers to designate a primary account for purposes of processing payments. In essence, these PANs are the card numbers you see on the front of your credit or debit card and the number used to make purchases on digital or eCommerce storefronts. 

PANs are not generated randomly, however. Each number has a specific arrangement that payment processors use to identify and authenticate the cards. This arrangement will differ slightly from one card network to the next but will usually include the following components:

  • Major Industry Identifier (MII): The first digit of any card number will refer to the major network provider that supports that card. For example, a Visa card will start with a four (4), while a Discover card will start with a six (6).
  • Issuer/Bank Identification Number (IIN/BIN): The next digits, known as the IIN or BIN numbers, identify the actual financial institution that issued the card. This number might be of variable length, depending on the issuer. Often, the first set of digits (including the MII) is collectively referred to as the BIN.
  • Account Number: A variable-length number no longer than nine digits serves as a unique identifier for the institution in question.
  • Check Digit: Using the Luhn Algorithm, the final digit serves as a checksum that confirms that the previous digits are correct. This helps catch simple errors in processing or number entry. 

As might be expected, having full knowledge of a credit card could allow hackers to pull fraudulent activities. Knowing the full card number could threaten the security of the card, certainly. Still, more importantly, full knowledge of the card number allows hackers to link a credit network, issuing bank, and individual account number for a specific customer. This fact gives the hacker a significant leg up on stealing information from that customer. 

Following this reality, the PCI Security Standards Council has built-in PAN security as part of the overall PCI DSS standard. 

Requirement 3, “Protect Stored Account Data,” defines certain obligations for regulated businesses, including the expectation that these businesses render PANs unreadable to unauthorized users. 


How Can You Make PAN Unreadable?

Rendering PAN unreadable follows standard security practices like encryption. However, because it’s essential that businesses using credit card data have actual access to that data for processing purposes (i.e., verifying users, processing recurring or subscription payments) simply encrypting that data isn’t always feasible. 

Therefore, per PCI DSS, several approved approaches to hiding PAN information consider the structure of credit card numbers.

These approaches include:


PAN Masking

Simply put, masking card information involves taking stored PAN information and replacing select digits with another symbol (usually an X or a hash mark). You’ve probably come across this practice when purchasing at a physical store that provides paper receipts–the card number used for the purchase will only display the final four or so digits of the account numbers. 

For internal security purposes, there are different requirements. First, only authorized viewers may see unmasked PAN information. Otherwise, any display of said information must be masked. Second, the masking must not exceed the first six digits (the BIN) or the last four digits, meaning that the unique account number must always be masked at a minimum. Finally, masking should cover any and all PAN information not required for processing. 


PAN Truncation

Truncation is nearly identical to masking in that it involves limiting access to the entirety of the card number. However, truncation is different because, unlike masking, the full account number is not stored on the server, only the truncated version. 

Truncated PAN information can be used for authorization or authentication in places where the entire number isn’t needed and allows businesses to use the BIN and checksum digit if needed as part of any internal processes. 

Furthermore, truncation reduces the attack surface open to hackers. If they don’t have full PAN information to steal, it doesn’t matter if they come across it during a data breach because they should not be able to reconstruct it from stolen information. 


PAN Hashing

One-way hashing uses a cryptographic function to transform information from one state to another. For example, when a system feeds a string of alphanumeric characters into a hashing algorithm, it will return a “hash” that’s completely different from the original value. 

This is useful for two reasons:

  • It renders PAN unreadable by anyone. This is because the hash is entirely different from the original number and because it’s essentially impossible to reverse a hashing process.
  • It allows for authentication and verification of user data. Suppose a user or internal system provides the same account number for, say, a payment. In that case, the processing system can use the same hashing function to verify the authenticity of that user without exposing their card. 

PCI requires that hashing algorithms use a powerful “salt” (or secret input value) that renders the hash impossible to reverse. Furthermore, if your company uses both full and truncated instances of PAN, then you must segment out hashes of the complete and truncated card information to avoid instances where hackers coordinate across the two values. 


PAN Tokenization

Tokens are a way to use the value of PAN to secure it. During tokenization, your system must take the original PAN value and “tokenize” it, or take a select range of digits and replaces it with what is known as proxy data, aka the token. This token is derived from these numbers and unique to them. 

Following that, the full account number is stored in a PAN vault, protected by a correlating key. The proxy account number is stored in the normal database. 

What does this accomplish? First, whenever the system needs to access PAN information, it can use the token to access the actual information in the vault. 

Second, this approach helps facilitate the online transmission of PANs without exposing them. Hackers intercepting transmissions will gain access to tokens, not PAN, so a customer’s bank account will not be exposed.


PAN Encryption

Finally, you can encrypt card data. Like tokenization, encryption will alter the information (PAN) so attackers cannot read it. However, unlike tokenization, encryption will rely on decryption keys rather than tokens and a vault to protect that information. 


Make Sure You’re Meeting PCI DSS PAN Requirements with Continuum GRC

Practicing proper data obfuscation for PCI DSS compliance is a relatively straightforward proposition–so long as you know what you are doing. That’s why payment processors worldwide trust the Continuum GRC platform to ensure they continue to meet or exceed PCI requirements.

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • NIST 800-53
  • DFARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2, SOC 3
  • PCI DSS 4.0
  • IRS 1075
  • ISO 27000 Series
  • ISO 9000 Series

And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC