▲ 3 r/pcicompliance
Req 3.4.1 - Masking of PAN
One of my customer uses a BIN lookup service to determine whether a card’s BIN length is 6 or 8 digits and ensures that only the applicable BIN (6 or 8 digits) is displayed accordingly in the application.
However, in the database, there is a column that consistently stores and displays the first 8 digits of the PAN for all transactions, regardless of whether the actual BIN length for the card is 6 or 8 digits.
Is this approach compliant with PCI DSS requirements, specifically with respect to PAN display restrictions under Requirement 3.4.1?
u/Fresh-Estimate9729 — 10 days ago