Storing partial credit card numbers

Joel picture Joel · Sep 28, 2009 · Viewed 14.4k times · Source

Possible Duplicates:

  1. Best practices for taking and storing credit card information with PHP
  2. Storing credit card details
  3. Storing Credit Card Information

I need to store credit card numbers within an e-commerce site. I don't intend on storing the whole credit card number, as this would be highly risky. I would like to store at least the first five digits so I can later identify the financial institution that issued the card. Ideally, I would like to store as much of the credit number as I safely can, to aid any future cross-referencing etc.

How many digits, and which particular digits, can I safely store?

For example, I imagine this would not be safe enough:

5555 5555 555* 4444

Because you could calculate the missing digit.

Similarly, this would be safe, but not be as useful:

5555 5*** **** ****

Is there a well accepted pattern for storing partial credit numbers?

Answer

BK picture BK · Sep 28, 2009

The Payment Card Data Security Standard states that if you are handling cardholder data, then you are subject to the constraints of the PCI DSS (which is very comprehensive and a challenge to comply with). If you want to store part of a card number, and don't want to have to deal with the Standard, then you need to make sure that a) you store NO MORE THAN the first 6 and last 4 digits; b) you don't ever store, process or transmit more than this. That means that the truncation has to be carried out before the data enters your control.

Given that you are talking about an ecommerce site, I think you'll have to deal with the PCI DSS sooner or later (since if you're not taking full PANs, you can't process transactions). Realistically, then, you should avoid storing more than the first 6 and last 4 digits of a PAN; the Standard then does not 'care' about this data, and you can store it in whatever form you see fit. If you store, say, the first 7 digits, then Requirement 3 of the Standard kicks in (and you start having to really understand key management in encryption).

I hope that this is of use.