We felt like the echos just kept getting louder in the book. You don’t have to secure what you don’t store, which means your scope is reduced with a solid truncation strategy. In fact, truncation is the next best thing to secure destruction when it comes to scope reduction and PCI DSS.
When Branden worked for a large bank, this was the strategy he chose to employ in the areas subject to PCI DSS. In most cases, total destruction was not an option for us due to various business constraints—namely that switching to a deletion strategy would cost more than the benefits we would get out of it. Truncation became the next best option, and deploying it as a strategy saved us tens of millions of dollars.
Before you go running to your CFO saying you have unlocked tens of millions of dollars to spend on not-PCI, in my case, the reason why the dollars were so large is because we had not yet built out a fully functional PCI compliant environment. So in order to store payment cards, we would have to spend tens of millions building all that out.
That said, you can use that same logic in your world. Remember that every card number you keep carries a cost to your bottom line. Those costs range from an initial investment (CapEx) to the amortization (OpEx) over time and continued maintenance as the technology eventually becomes legacy.
As payment card construction evolves with the fraud landscape, so do the rules on truncation itself. The Council recently updated their truncation guidance which used to be you could only store the first six and last four digits of the PAN to a much more complex set of rules we show below.
The list below describes all the different options from the Council itself:
- 16-digit PAN (with either a 6 or 8 digit BIN): At least 4 digits removed. Maximum digits which may be retained: “First 8, any other 4.”
- 15-digit PAN: At least 5 digits removed. Maximum digits which may be retained: “First 6, last 4.”
- Less than 15-digit PAN: Maximum digits which may be retained: “First 6, any other 4.”
In every previous edition of the book, we used the “first six, last four” rule of thumb on truncation as the maximum digits you can show. In our experience, however, those are often superfluous digits for most things you will do with account data—unless of course you are processing it.
You don't have to secure
what you don't store.
Branden & James
In cases where you need access to more than this for your job (hint, there should only be a couple of you in every company that fall into this category), the above guidance will help you avoid putting your scoping strategy at risk. Just don’t exceed what is here, and be sure to check that page often as we are aware of new payment card lengths in the works. Should the guidance change, we’ll update our site here.