Over the course of MANY PCI-DSS projects, we have come across a fair bit of scenarios. From the shake-your-head unbelievable nonsense, such as the acquirer bank sending in full PAN over fax or email to our service provider, and then refusing to comply to PCI, to the often stated problem – we need to keep full PAN to identify the transaction so we can reconcile it later.
That last one is particularly grating. Because it forces our customer’s scope to be so large, so unnecessarily. One of the clients we are working with now, when asked, and asked and asked again, finally conceded that actually they don’t require Full PAN.
According to PCI Compliance 3rd Edition by Syngress:
Did you know that you only need four elements to uniquely identify any transaction in your enterprise, and one of those is not the full card number? These elements are as follows:
First six and last four (or just last four) digits of the card number,
Date and time of purchase,
Amount of purchase,
Authorization code.
Customers who have used this method have never reported that two transactions matched these elements identically but had different card numbers.
I’ve always been saying that from day one. You don’t need full 16! The reason why people insist on it is that they or the service provider or the developers are just too lazy to change primary reference key to incorporate several parameters to identify a unique record. It’s laziness. So instead they take the most unique key and just use it, forcing compliance that could have easily been avoided. Unless you are an issuer or acquirer, you technically can avoid painful compliance controls if you just STOP obsessing over storing PANs!!