26

Usually when I enter and save my credit card number in online shop or mobile app, only last four numbers are shown as a reminder. Example (not actual digits):

Your card: **** **** **** 1234

Recently I used an app, where card number was shown as below (not actual digits):

Your card: 1234 56** **** 1234

Are there any good practices or something enforced by Visa/MC or law regulating how to mask card number properly?

tomash
  • 371
  • 1
  • 3
  • 5

2 Answers2

54

The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).

According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.

BobbyScon
  • 14,034
  • 3
  • 45
  • 62
  • So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure! – Alexander Aug 24 '18 at 21:43
  • 1
    PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown. – dave_thompson_085 Aug 25 '18 at 00:05
  • @Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems. – Blrfl Aug 25 '18 at 23:34
  • 1
    @Blrfl The CVV is not mandatory. It just lower transaction fees for merchants. – Alexander Aug 25 '18 at 23:35
  • @Alexander Not 100%, but the card issuers are requiring it in North America and western Europe for the kind merchants where fraud is more likely. Realistically, when was the last time you did a transaction with an online merchant that didn't ask for it? – Blrfl Aug 25 '18 at 23:42
  • 1
    @Blrfl Amazon, last week. – Alexander Aug 26 '18 at 00:01
  • @Alexander FWIW, the first 6 digits are publicly known, and can be guessed if you know the card issuer. So, once you see the last four digits, you usually have the first six already. – jpaugh Aug 27 '18 at 13:49
27

BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.

  • First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)

  • The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)

  • The next 9 digits are your account number

  • The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)

So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.

quid
  • 48,976
  • 11
  • 99
  • 161
  • 3
    Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: https://www.mastercard.us/en-us/issuers/get-support/2-series-bin-expansion.html) – TylerH Aug 23 '18 at 19:19
  • 3
    Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers. – Relaxed Aug 23 '18 at 19:20
  • 2
    Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four. – quid Aug 23 '18 at 19:30
  • Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum. – Bent Aug 23 '18 at 21:36
  • 2
    Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well. – BobbyScon Aug 23 '18 at 21:57
  • @Bent 4 is the Major Industry Identifier, which indicates banking>VISA, and I suspect everything in the range of "571AB" (where AB is 00-99 or some subset thereof) has been allocated to Dankort, who then assigns the account numbers (CD + the first seven XXXX XXX) as they see fit. Perhaps they got the AB subsets assigned by region, and within each AB region, they set the first two digits as a branch indicator and the remaining seven digits indicate the individual account. This is all speculation of course (beyond the 4) :) – Doktor J Aug 24 '18 at 21:08
  • @quid I'm surprised you've gotten two cards with the same last4. Whenever my AMEX card is replaced, the last 4 change but the rest stays the same. – Barmar Aug 24 '18 at 21:30