1

I have a fraud detection system.

From the client side (browser) I want to receive the store BIN section of the card number (first 6 digits) and if possible also the last 4 digits

Besides the above, I do not process or store credit card number (or any other payment method). I also don't process or store any personal information (don't get user name / email / ID number etc.)

So, my question is: In my case as described above, if only storing the first 6 digits (and if possible also the last 4) - do I need to comply with any PCI (or other regulation) requirements?

It seems that storing only a fragment of the whole PAN is not under the scope of PCI (https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-truncated-Primary-Account-Numbers-PAN-required-to-be-protected-in-accordance-with-PCI-DSS), unless my systems is considered as a "connected system". So, if the client side where the user fills the credit card number, sends to my system only the BIN - should my system be considered as a "connected system" ?

Thanks!

Ran Wasserman
  • 19
  • 2
  • 3
    Have you read the PCI documentation? https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf – Jeroen Mar 20 '19 at 08:56
  • No. I try to understand if saving this kind of data without processing the actual card number and/or card holder information is even relevant to PCI. – Ran Wasserman Mar 20 '19 at 09:10
  • 4
    Possible duplicate of [Does transmitting first 6 and last 4 digits of the card number and expire date require PCI DSS compliance?](https://security.stackexchange.com/questions/168601/does-transmitting-first-6-and-last-4-digits-of-the-card-number-and-expire-date-r) – Jeroen Mar 20 '19 at 09:17
  • 1
    Thanks @Jeroen-ITNerdbox. I missed this one. Looking at the answers it points to this post that I viewed in the past https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-truncated-Primary-Account-Numbers-PAN-required-to-be-protected-in-accordance-with-PCI-DSS. But I am having hard time understanding if my system should be considered as a "connected system" – Ran Wasserman Mar 20 '19 at 09:26
  • 1
    if the user is filling in the card details in a browser and then the client side (code running in the browser) sends the BIN to my system. should this be considered as a "connected system " – Ran Wasserman Mar 20 '19 at 09:30

1 Answers1

2

So, if the client side where the user fills the credit card number, sends to my system only the BIN - should my system be considered as a "connected system" ?

No. The phrase "connected system" in PCI has a specific meaning, to quote DSS 3.2.1 "Scope of PCI DSS Requirements":

The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment.

"Connected" means that you're a Merchant or a Processor or some other entity that has a Cardholder Data Environment. The CDE is fundamentally in scope, and the systems "connected" to that environment are also in scope as a result of that connection.

If you are not a Merchant, and not gathering PAN, then you are not in scope for PCI DSS. (You want to be careful, though; I would ask the user for first 6 and last 4 and not have them type in the full PAN even if your code intends to discard the middle.)

gowenfawr
  • 72,355
  • 17
  • 162
  • 199