Cardholder data consists of a primary account number (PAN) plus either the cardholder name, expiration date and CVV. The PAN is the 14 to 16 digit number on the front of the card. The unnecessary storage of full card PAN information by merchants has led to incidents of data compromise, theft or unintended disclosure during
disposal. Additional confusion exists due to inconsistent dispute resolution practices by issuers and acquirers in use across different geographies, leading some merchants to conclude that PAN data must be retained for all transactions.
Visa & MasterCard do not require merchants to store PAN but does recommend that merchants rely on their acquirer / processor to manage this information on the merchants’ behalf.
Some countries already have laws mandating PAN truncation and the suppression of expiration dates on cardholder receipts. For example, the United States Fair and Accurate Credit Transactions Act (FACTA) of 2006 prohibits merchants from printing more than the last five digits of the PAN or the card expiration date on any cardholder receipt. To ensure consistency in PAN truncation methods, MyGate has developed a list of truncation best practices that can be used.
PAN Truncation Best Practice
In addition to required compliance with applicable card data security standards, including the Payment Card Industry Data Security Standard (PCI DSS), and MyGate’s Best Practices for Tokenization of Cardholder Information, MyGate follows these best practices:
|Domain||Best Business Practice|
|Cardholder Receipts||Disguise or truncate all but the last four digits of the PAN, and suppress the fullexpiration date, on the cardholder’s copy of a transaction receipt. MyGate truncatesPAN on all correspondence to card holder including any of MyGate’s email receiptoptions or via merchant initiating a cardholder receipt in the web console.Example: XXXXXXXXXXXX1234 for the PAN and XXXX for the expiration date.|
|Merchant Receipts||Disguise or truncate the PAN to display a maximum of the first six and last four digits,and suppress the full expiration date. MyGate truncates PAN on the merchant’s copy ofa transaction receipt which gets displayed in the MyGate Web Console or via anyemailed transaction notification.Example: 412345XXXXXX6789 or XXXXXXXXXXXX1234 for the PAN and XXXX for the
|Merchant Transaction Data Storage by Acquirers||MyGate supports merchants by providing transaction data storage, thereby allowingmerchants to retain only truncated PAN data on the merchant’s copy of anelectronically generated receipt and in their transaction records (unless the merchanthas a business need to retain the full card PAN).|
|Replacement Identifiers||MyGate’s systems provides merchants with substitute transaction identifiers such astransaction index, RRN or software tokens to facilitate retrieval of transaction datastored by MyGate or the acquirer, in lieu of using the PAN as a reference for individualtransactions.|
Due to legacy practices and a misinterpretation by merchants, many merchants unnecessarily store and/or print full card PANs on cardholder and merchant receipts. MasterCard and Visa rules do not require merchants to store full card PANs after settlement, and do allow merchant receipts with truncated PAN information to be
retained for copy retrieval and dispute fulfilment. MyGate’s payment platform supports storage and truncation best practices without affecting merchants
ability to meet PCI and dispute resolution requirements.