Credit card number masking - good practices, rules, law regulations?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
23
down vote
favorite
Usually when I enter and save my credit card number in online shop or mobile app, only last four numbers are shown as a reminder. Example (not actual digits):
Your card: **** **** **** 1234
Recently I used an app, where card number was shown as below (not actual digits):
Your card: 1234 56** **** 1234
Are there any good practices or something enforced by Visa/MC or law regulating how to mask card number properly?
credit-card
asked Aug 23 at 13:18
tomash
22115
add a comment |Â
up vote
23
down vote
favorite
Usually when I enter and save my credit card number in online shop or mobile app, only last four numbers are shown as a reminder. Example (not actual digits):
Your card: **** **** **** 1234
Recently I used an app, where card number was shown as below (not actual digits):
Your card: 1234 56** **** 1234
Are there any good practices or something enforced by Visa/MC or law regulating how to mask card number properly?
credit-card
asked Aug 23 at 13:18
tomash
22115
6
See also security.stackexchange.com/questions/145070/…
– user71659
Aug 23 at 16:42
See also stackoverflow.com/a/33500575/2908724
– bishop
Aug 24 at 17:53
Also of intrest: What do the numbers on a credit card mean
– JPhi1618
Aug 24 at 19:30
add a comment |Â
up vote
23
down vote
favorite
up vote
23
down vote
favorite
Usually when I enter and save my credit card number in online shop or mobile app, only last four numbers are shown as a reminder. Example (not actual digits):
Your card: **** **** **** 1234
Recently I used an app, where card number was shown as below (not actual digits):
Your card: 1234 56** **** 1234
Are there any good practices or something enforced by Visa/MC or law regulating how to mask card number properly?
credit-card
asked Aug 23 at 13:18
tomash
22115
Usually when I enter and save my credit card number in online shop or mobile app, only last four numbers are shown as a reminder. Example (not actual digits):
Your card: **** **** **** 1234
Recently I used an app, where card number was shown as below (not actual digits):
Your card: 1234 56** **** 1234
Are there any good practices or something enforced by Visa/MC or law regulating how to mask card number properly?
credit-card
credit-card
asked Aug 23 at 13:18
tomash
22115
asked Aug 23 at 13:18
tomash
22115
asked Aug 23 at 13:18
tomash
22115
asked Aug 23 at 13:18
tomash
22115
asked Aug 23 at 13:18
tomash
22115
22115
6
See also security.stackexchange.com/questions/145070/…
– user71659
Aug 23 at 16:42
See also stackoverflow.com/a/33500575/2908724
– bishop
Aug 24 at 17:53
Also of intrest: What do the numbers on a credit card mean
– JPhi1618
Aug 24 at 19:30
add a comment |Â
6
See also security.stackexchange.com/questions/145070/…
– user71659
Aug 23 at 16:42
See also stackoverflow.com/a/33500575/2908724
– bishop
Aug 24 at 17:53
Also of intrest: What do the numbers on a credit card mean
– JPhi1618
Aug 24 at 19:30
6
6
See also security.stackexchange.com/questions/145070/…
– user71659
Aug 23 at 16:42
See also security.stackexchange.com/questions/145070/…
– user71659
Aug 23 at 16:42
See also stackoverflow.com/a/33500575/2908724
– bishop
Aug 24 at 17:53
See also stackoverflow.com/a/33500575/2908724
– bishop
Aug 24 at 17:53
Also of intrest: What do the numbers on a credit card mean
– JPhi1618
Aug 24 at 19:30
Also of intrest: What do the numbers on a credit card mean
– JPhi1618
Aug 24 at 19:30
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
53
down vote
accepted
The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).
According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.
answered Aug 23 at 14:05
BobbyScon
11.1k32952
So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
– Alexander
Aug 24 at 21:43
1
PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
– dave_thompson_085
Aug 25 at 0:05
@Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
– Blrfl
Aug 25 at 23:34
@Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
– Alexander
Aug 25 at 23:35
1
@Blrfl Amazon, last week.
– Alexander
Aug 26 at 0:01
 |Â
show 2 more comments
up vote
25
down vote
BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.
First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)
The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)
The next 9 digits are your account number
The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)
So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.
answered Aug 23 at 17:33
quid
31.8k460109
3
Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
– TylerH
Aug 23 at 19:19
3
Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
– Relaxed
Aug 23 at 19:20
2
Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
– quid
Aug 23 at 19:30
Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
– Bent
Aug 23 at 21:36
1
Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
– BobbyScon
Aug 23 at 21:57
 |Â
show 2 more comments
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
53
down vote
accepted
The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).
According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.
answered Aug 23 at 14:05
BobbyScon
11.1k32952
So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
– Alexander
Aug 24 at 21:43
1
PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
– dave_thompson_085
Aug 25 at 0:05
@Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
– Blrfl
Aug 25 at 23:34
@Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
– Alexander
Aug 25 at 23:35
1
@Blrfl Amazon, last week.
– Alexander
Aug 26 at 0:01
 |Â
show 2 more comments
up vote
53
down vote
accepted
The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).
According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.
answered Aug 23 at 14:05
BobbyScon
11.1k32952
So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
– Alexander
Aug 24 at 21:43
1
PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
– dave_thompson_085
Aug 25 at 0:05
@Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
– Blrfl
Aug 25 at 23:34
@Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
– Alexander
Aug 25 at 23:35
1
@Blrfl Amazon, last week.
– Alexander
Aug 26 at 0:01
 |Â
show 2 more comments
up vote
53
down vote
accepted
up vote
53
down vote
accepted
The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).
According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.
answered Aug 23 at 14:05
BobbyScon
11.1k32952
The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).
According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.
answered Aug 23 at 14:05
BobbyScon
11.1k32952
answered Aug 23 at 14:05
BobbyScon
11.1k32952
answered Aug 23 at 14:05
BobbyScon
11.1k32952
answered Aug 23 at 14:05
BobbyScon
11.1k32952
11.1k32952
So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
– Alexander
Aug 24 at 21:43
1
PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
– dave_thompson_085
Aug 25 at 0:05
@Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
– Blrfl
Aug 25 at 23:34
@Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
– Alexander
Aug 25 at 23:35
1
@Blrfl Amazon, last week.
– Alexander
Aug 26 at 0:01
 |Â
show 2 more comments
So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
– Alexander
Aug 24 at 21:43
1
PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
– dave_thompson_085
Aug 25 at 0:05
@Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
– Blrfl
Aug 25 at 23:34
@Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
– Alexander
Aug 25 at 23:35
1
@Blrfl Amazon, last week.
– Alexander
Aug 26 at 0:01
So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
– Alexander
Aug 24 at 21:43
So if there are 2 websites, website A which shows the first 6, and website B which shows the last 4, and you hack a user's account on both sites (which is made especially easy by how frequently people reuse the same login/password accross sites), then there's only 6 digits left to guess (search space of 1,000,000)? And don't forget there's a checksum, which I suspect would greatly reduce the search space even further. That seems so insecure!
– Alexander
Aug 24 at 21:43
1
1
PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
– dave_thompson_085
Aug 25 at 0:05
PCI Is worldwide not just US. To be exact, DSS (the Data Security Standard) applies to all merchant systems, and PA-DSS (Payment Application DSS) to third-party software; PCISSC has several other standards besides DSS and PA-DSS, like P2PE (Point-to-Point Encryption), but the 'library' doesn't show them by default, you need to use the pulldown.
– dave_thompson_085
Aug 25 at 0:05
@Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
– Blrfl
Aug 25 at 23:34
@Alexander The CVV2 number would be required for for a card-not-present transaction. Because the payment card number and CVV2 aren't related, you could brute-force a version of the former with a passing check digit, but you'd still have to interact with a clearinghouse to find a version of the latter that works. Even moderate numbers of invalid CVV2s on a valid PCN would trip card issuers' anti-fraud systems.
– Blrfl
Aug 25 at 23:34
@Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
– Alexander
Aug 25 at 23:35
@Blrfl The CVV is not mandatory. It just lower transaction fees for merchants.
– Alexander
Aug 25 at 23:35
1
1
@Blrfl Amazon, last week.
– Alexander
Aug 26 at 0:01
@Blrfl Amazon, last week.
– Alexander
Aug 26 at 0:01
 |Â
show 2 more comments
up vote
25
down vote
BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.
First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)
The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)
The next 9 digits are your account number
The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)
So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.
answered Aug 23 at 17:33
quid
31.8k460109
3
Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
– TylerH
Aug 23 at 19:19
3
Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
– Relaxed
Aug 23 at 19:20
2
Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
– quid
Aug 23 at 19:30
Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
– Bent
Aug 23 at 21:36
1
Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
– BobbyScon
Aug 23 at 21:57
 |Â
show 2 more comments
up vote
25
down vote
BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.
First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)
The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)
The next 9 digits are your account number
The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)
So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.
answered Aug 23 at 17:33
quid
31.8k460109
3
Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
– TylerH
Aug 23 at 19:19
3
Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
– Relaxed
Aug 23 at 19:20
2
Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
– quid
Aug 23 at 19:30
Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
– Bent
Aug 23 at 21:36
1
Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
– BobbyScon
Aug 23 at 21:57
 |Â
show 2 more comments
up vote
25
down vote
up vote
25
down vote
BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.
First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)
The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)
The next 9 digits are your account number
The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)
So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.
answered Aug 23 at 17:33
quid
31.8k460109
BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.
First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)
The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)
The next 9 digits are your account number
The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)
So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.
answered Aug 23 at 17:33
quid
31.8k460109
answered Aug 23 at 17:33
quid
31.8k460109
answered Aug 23 at 17:33
quid
31.8k460109
answered Aug 23 at 17:33
quid
31.8k460109
31.8k460109
3
Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
– TylerH
Aug 23 at 19:19
3
Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
– Relaxed
Aug 23 at 19:20
2
Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
– quid
Aug 23 at 19:30
Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
– Bent
Aug 23 at 21:36
1
Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
– BobbyScon
Aug 23 at 21:57
 |Â
show 2 more comments
3
Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
– TylerH
Aug 23 at 19:19
3
Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
– Relaxed
Aug 23 at 19:20
2
Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
– quid
Aug 23 at 19:30
Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
– Bent
Aug 23 at 21:36
1
Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
– BobbyScon
Aug 23 at 21:57
3
3
Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
– TylerH
Aug 23 at 19:19
Mastercard also issues some BIN 2 cards as of 2017, not just BIN 5. (Source: mastercard.us/en-us/issuers/get-support/…)
– TylerH
Aug 23 at 19:19
3
3
Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
– Relaxed
Aug 23 at 19:20
Displaying partial card numbers helps people remember which one they used (if they have several). From that perspective, it doesn't really matter that the first 6 digits are common across many cards (or whether you realise this or not) as long as your cards come from different issuers.
– Relaxed
Aug 23 at 19:20
2
2
Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
– quid
Aug 23 at 19:30
Maybe for AMEX as the way numbers are issued there have been times where I have more than one AMEX with the same last four digits, but for Visa/MC/Discover it's so exceptionally unlikely that you'll be issued two cards with the same last four that I suspect this masking method raises more security concerns in uninformed people than it assists people with a lot of credit cards. People are used to seeing the last four digits, people are not used to seeing the first six and last four.
– quid
Aug 23 at 19:30
Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
– Bent
Aug 23 at 21:36
Are you sure that the rule that the first 6 digits are bank id and the next 9 are account is valid for all cards? In Denmark 4571 ABCD XXXX XXXX, 4571 identifies the cards as a VISA/Dankort, ABCD is the bank registration number (digits) (each bank have one or more registration numbers mainly corresponding to branches) and the rest is the individual card number including checksum.
– Bent
Aug 23 at 21:36
1
1
Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
– BobbyScon
Aug 23 at 21:57
Usually the reason for not obscuring the first 6 digits is for internal reference. There may be employees within the organization who need access to more than just the last 4, but aren't authorized to have the credentials to view the decrypted full 16 (if it was even stored in their system). Most commonly this is for verifying refunds and auditing payments from the appropriate banks to their own bank. While you may commonly only see 4 digits printed on a receipt, that doesn't mean the back office systems don't have access to the first 6 as well.
– BobbyScon
Aug 23 at 21:57
 |Â
show 2 more comments
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmoney.stackexchange.com%2fquestions%2f98951%2fcredit-card-number-masking-good-practices-rules-law-regulations%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
6
See also security.stackexchange.com/questions/145070/…
– user71659
Aug 23 at 16:42
See also stackoverflow.com/a/33500575/2908724
– bishop
Aug 24 at 17:53
Also of intrest: What do the numbers on a credit card mean
– JPhi1618
Aug 24 at 19:30