Credit card number masking - good practices, rules, law regulations?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
23
down vote

favorite
1












Usually when I enter and save my credit card number in online shop or mobile app, only last four numbers are shown as a reminder. Example (not actual digits):



Your card: **** **** **** 1234



Recently I used an app, where card number was shown as below (not actual digits):



Your card: 1234 56** **** 1234



Are there any good practices or something enforced by Visa/MC or law regulating how to mask card number properly?










share|improve this question

















  • 6




    See also security.stackexchange.com/questions/145070/…
    – user71659
    Aug 23 at 16:42










  • See also stackoverflow.com/a/33500575/2908724
    – bishop
    Aug 24 at 17:53










  • Also of intrest: What do the numbers on a credit card mean
    – JPhi1618
    Aug 24 at 19:30
















up vote
23
down vote

favorite
1












Usually when I enter and save my credit card number in online shop or mobile app, only last four numbers are shown as a reminder. Example (not actual digits):



Your card: **** **** **** 1234



Recently I used an app, where card number was shown as below (not actual digits):



Your card: 1234 56** **** 1234



Are there any good practices or something enforced by Visa/MC or law regulating how to mask card number properly?










share|improve this question

















  • 6




    See also security.stackexchange.com/questions/145070/…
    – user71659
    Aug 23 at 16:42










  • See also stackoverflow.com/a/33500575/2908724
    – bishop
    Aug 24 at 17:53










  • Also of intrest: What do the numbers on a credit card mean
    – JPhi1618
    Aug 24 at 19:30












up vote
23
down vote

favorite
1









up vote
23
down vote

favorite
1






1





Usually when I enter and save my credit card number in online shop or mobile app, only last four numbers are shown as a reminder. Example (not actual digits):



Your card: **** **** **** 1234



Recently I used an app, where card number was shown as below (not actual digits):



Your card: 1234 56** **** 1234



Are there any good practices or something enforced by Visa/MC or law regulating how to mask card number properly?










share|improve this question













Usually when I enter and save my credit card number in online shop or mobile app, only last four numbers are shown as a reminder. Example (not actual digits):



Your card: **** **** **** 1234



Recently I used an app, where card number was shown as below (not actual digits):



Your card: 1234 56** **** 1234



Are there any good practices or something enforced by Visa/MC or law regulating how to mask card number properly?







credit-card






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 23 at 13:18









tomash

22115




22115







  • 6




    See also security.stackexchange.com/questions/145070/…
    – user71659
    Aug 23 at 16:42










  • See also stackoverflow.com/a/33500575/2908724
    – bishop
    Aug 24 at 17:53










  • Also of intrest: What do the numbers on a credit card mean
    – JPhi1618
    Aug 24 at 19:30












  • 6




    See also security.stackexchange.com/questions/145070/…
    – user71659
    Aug 23 at 16:42










  • See also stackoverflow.com/a/33500575/2908724
    – bishop
    Aug 24 at 17:53










  • Also of intrest: What do the numbers on a credit card mean
    – JPhi1618
    Aug 24 at 19:30







6




6




See also security.stackexchange.com/questions/145070/…
– user71659
Aug 23 at 16:42




See also security.stackexchange.com/questions/145070/…
– user71659
Aug 23 at 16:42












See also stackoverflow.com/a/33500575/2908724
– bishop
Aug 24 at 17:53




See also stackoverflow.com/a/33500575/2908724
– bishop
Aug 24 at 17:53












Also of intrest: What do the numbers on a credit card mean
– JPhi1618
Aug 24 at 19:30




Also of intrest: What do the numbers on a credit card mean
– JPhi1618
Aug 24 at 19:30










2 Answers
2






active

oldest

votes

















up vote
53
down vote



accepted










The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).



According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.






share|improve this answer




















  • So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
    – Alexander
    Aug 24 at 21:43







  • 1




    PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
    – dave_thompson_085
    Aug 25 at 0:05










  • @Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
    – Blrfl
    Aug 25 at 23:34











  • @Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
    – Alexander
    Aug 25 at 23:35






  • 1




    @Blrfl Amazon, last week.
    – Alexander
    Aug 26 at 0:01

















up vote
25
down vote













BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.



  • First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)


  • The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)


  • The next 9 digits are your account number


  • The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)


So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.






share|improve this answer
















  • 3




    Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
    – TylerH
    Aug 23 at 19:19






  • 3




    Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
    – Relaxed
    Aug 23 at 19:20






  • 2




    Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
    – quid
    Aug 23 at 19:30











  • Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
    – Bent
    Aug 23 at 21:36






  • 1




    Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
    – BobbyScon
    Aug 23 at 21:57










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "93"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmoney.stackexchange.com%2fquestions%2f98951%2fcredit-card-number-masking-good-practices-rules-law-regulations%23new-answer', 'question_page');

);

Post as a guest






























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
53
down vote



accepted










The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).



According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.






share|improve this answer




















  • So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
    – Alexander
    Aug 24 at 21:43







  • 1




    PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
    – dave_thompson_085
    Aug 25 at 0:05










  • @Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
    – Blrfl
    Aug 25 at 23:34











  • @Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
    – Alexander
    Aug 25 at 23:35






  • 1




    @Blrfl Amazon, last week.
    – Alexander
    Aug 26 at 0:01














up vote
53
down vote



accepted










The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).



According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.






share|improve this answer




















  • So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
    – Alexander
    Aug 24 at 21:43







  • 1




    PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
    – dave_thompson_085
    Aug 25 at 0:05










  • @Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
    – Blrfl
    Aug 25 at 23:34











  • @Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
    – Alexander
    Aug 25 at 23:35






  • 1




    @Blrfl Amazon, last week.
    – Alexander
    Aug 26 at 0:01












up vote
53
down vote



accepted







up vote
53
down vote



accepted






The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).



According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.






share|improve this answer












The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).



According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.







share|improve this answer












share|improve this answer



share|improve this answer










answered Aug 23 at 14:05









BobbyScon

11.1k32952




11.1k32952











  • So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
    – Alexander
    Aug 24 at 21:43







  • 1




    PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
    – dave_thompson_085
    Aug 25 at 0:05










  • @Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
    – Blrfl
    Aug 25 at 23:34











  • @Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
    – Alexander
    Aug 25 at 23:35






  • 1




    @Blrfl Amazon, last week.
    – Alexander
    Aug 26 at 0:01
















  • So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
    – Alexander
    Aug 24 at 21:43







  • 1




    PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
    – dave_thompson_085
    Aug 25 at 0:05










  • @Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
    – Blrfl
    Aug 25 at 23:34











  • @Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
    – Alexander
    Aug 25 at 23:35






  • 1




    @Blrfl Amazon, last week.
    – Alexander
    Aug 26 at 0:01















So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
– Alexander
Aug 24 at 21:43





So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
– Alexander
Aug 24 at 21:43





1




1




PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
– dave_thompson_085
Aug 25 at 0:05




PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
– dave_thompson_085
Aug 25 at 0:05












@Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
– Blrfl
Aug 25 at 23:34





@Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
– Blrfl
Aug 25 at 23:34













@Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
– Alexander
Aug 25 at 23:35




@Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
– Alexander
Aug 25 at 23:35




1




1




@Blrfl Amazon, last week.
– Alexander
Aug 26 at 0:01




@Blrfl Amazon, last week.
– Alexander
Aug 26 at 0:01












up vote
25
down vote













BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.



  • First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)


  • The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)


  • The next 9 digits are your account number


  • The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)


So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.






share|improve this answer
















  • 3




    Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
    – TylerH
    Aug 23 at 19:19






  • 3




    Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
    – Relaxed
    Aug 23 at 19:20






  • 2




    Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
    – quid
    Aug 23 at 19:30











  • Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
    – Bent
    Aug 23 at 21:36






  • 1




    Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
    – BobbyScon
    Aug 23 at 21:57














up vote
25
down vote













BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.



  • First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)


  • The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)


  • The next 9 digits are your account number


  • The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)


So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.






share|improve this answer
















  • 3




    Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
    – TylerH
    Aug 23 at 19:19






  • 3




    Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
    – Relaxed
    Aug 23 at 19:20






  • 2




    Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
    – quid
    Aug 23 at 19:30











  • Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
    – Bent
    Aug 23 at 21:36






  • 1




    Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
    – BobbyScon
    Aug 23 at 21:57












up vote
25
down vote










up vote
25
down vote









BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.



  • First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)


  • The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)


  • The next 9 digits are your account number


  • The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)


So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.






share|improve this answer












BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.



  • First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)


  • The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)


  • The next 9 digits are your account number


  • The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)


So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.







share|improve this answer












share|improve this answer



share|improve this answer










answered Aug 23 at 17:33









quid

31.8k460109




31.8k460109







  • 3




    Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
    – TylerH
    Aug 23 at 19:19






  • 3




    Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
    – Relaxed
    Aug 23 at 19:20






  • 2




    Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
    – quid
    Aug 23 at 19:30











  • Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
    – Bent
    Aug 23 at 21:36






  • 1




    Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
    – BobbyScon
    Aug 23 at 21:57












  • 3




    Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
    – TylerH
    Aug 23 at 19:19






  • 3




    Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
    – Relaxed
    Aug 23 at 19:20






  • 2




    Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
    – quid
    Aug 23 at 19:30











  • Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
    – Bent
    Aug 23 at 21:36






  • 1




    Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
    – BobbyScon
    Aug 23 at 21:57







3




3




Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
– TylerH
Aug 23 at 19:19




Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
– TylerH
Aug 23 at 19:19




3




3




Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
– Relaxed
Aug 23 at 19:20




Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
– Relaxed
Aug 23 at 19:20




2




2




Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
– quid
Aug 23 at 19:30





Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
– quid
Aug 23 at 19:30













Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
– Bent
Aug 23 at 21:36




Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
– Bent
Aug 23 at 21:36




1




1




Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
– BobbyScon
Aug 23 at 21:57




Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
– BobbyScon
Aug 23 at 21:57

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmoney.stackexchange.com%2fquestions%2f98951%2fcredit-card-number-masking-good-practices-rules-law-regulations%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?