How many digits of a Visa card number can vendors disclose on receipts?

  • I visited a local McDonald's, and I noticed part of my Visa number repeated on the receipt like this: NNNN NN__ ____ NNNN. (So out of a total of 16 digits it breaks down like this: First six digits revealed, middle six digits hidden, final four digits revealed again.)

    So only 6 digits were hidden. Finding the correct number would take 1.000.000 guesses, but there is also a checksum that further decreases the number of guesses needed to 100.000 (by my, possibly wrong, calculation).

    Is there a policy on how many digits can be revealed? Could cards be in danger if companies hide only the six middle digits?

    The first few numbers identify the card and issuer, so they are common among all cardholders (and easy to determine if you see the graphics on the card). The last 4 digits unmasked for your convenience. I'm not sure what risks there could be if someone was able to brute force the masked numbers.

    @schroeder Thanks, I was being paranoid in light of brute forcing reports (cvv and expiry dates) of credit card info. There are probably many easier ways to obtain credit card info.

    The first 6 digits are the IIN, so they're public domain. Per PCI they can be shown along with the last 4 digits.

    Additionally, the final number is just a checksum number anyway. If you do the fancy maths thats needed to check if a card number is valid, you should get that last digit as your result :)

    @Takarii : But exposing that last digit means that the brute-forcer has to guess one less digit - they can work out what it should be to get the guard digit correct.

    @MartinBonner Thats true, but also keep in mind that a _valid_ number isnt nessecarily an _active_ one. With expiration and valid from dates thrown in, it is possible for multiple people to have the same card number.

    What bothers me more about this is that a receipt from one merchant will sy my card number is NNNN NN** **** NNNN and the receipt from another merchant will say **** **NN NNNN ****. (Or some variation on this where with enough receipts showing different parts of the number, it's possible to piece together the whole number)

    @Michael That shouldn't be an issue. The ones that were shown and weren't shown weren't chosen randomly and the middle numbers should NEVER be printed on any receipt from any merchant. The first 6 numbers are the card type and bank the card is with so aren't really secret information anyway. The last four are specifically the ones left visible so you can tell which card you used. That is the standard for all credit cards.

    On the flip side, scammers will sometimes use the opposite of the convention and if e.g. targetting Ireland use `4319 XXXX XXXX XXXX` which would cover pretty much all VISA debit and some VISA Credit cards in that area (other codes are equally common elsewhere). Someone unfamiliar with the numbering schemes but familiar with the general idea of disclosing 4 digits could, the idea goes, be fooled into thinking it must really be them.

  • As per PCI, the first 6 (BIN) and the last 4 can be shown, others should be masked:

    From an official 2008 PDF: PCI Data Storage Do’s and Don’ts:

    Never store the personal identification number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed. The first six and last four digits are the maximum number of digits that may be displayed.

    PAN is Primary Account Number

    So as far as compliance goes, the data terminal used to print the receipt is compliant.

    I've always found PCI rules quite interesting when applied to Card Numbers with only 13 digits and using the Luhn Check. I also seem to remember that the US may have a different regulation in place?

    PCI states the _maximum_ not the minimum. You as long as you don't display more than what is mandated by PCI, you are considered compliant. I remember in the US sometimes only the last 4 are shown.

    @BurhanKhalid Showing last 4 only is not much safer than showing first 6 and last 4. Because the first 6 are the issuer identification number, and there may not be that much actual variation in them.

    @MikeScott But as we can see, merchants still may wish to only show the last four, for reasons completely unrelated to security: to avoid alarmed questions from their customers. ;) (FWIW, it is most common in Canada to only show the last four digits on receipts. Whether this is due to a regulation or industry practice, I don't know.)

    Some companies use those digits as validation. So even that may be a liability. See the tale of Mat Honan.

    Note that there's a difference between what can be printed on the customer receipt and what can be on the merchant receipt. The merchant will often have the full PAN printed on their receipt - this can then be used for disputes, refunds etc.

    Even if it's permitted, it's a **really** bad idea to show both the BIN and the last four. I've had cards where all but the BIN and the last five were zero!

    The first 6 digits are used as a routing code. There aren't too many of them in use, as there are not that many processors. A good part of the range is reserved. https://en.wikipedia.org/wiki/Payment_card_number

    For some people, including myself, have the first 6 (or 4) would be better than the last. When I need to update a card with a merchant (e.g. the last round of re-issues in the US to add the chip) I need to know the BANK (BIN) for the card they have. The last 4 digits of the old card they have on file are gone -- destroyed with the old card.

    Better protection is to list the first 4, as they are the same for many many people who have accounts from the same issuer/processor. A recent attack on Visa (didn't work on Mastercard) took advantage of the fact there are only a few "first six" in common use, plus the ability to "test" card numbers by placing only a couple of orders each accross many different sites. No security trap sprung on individual sites, as the invalid attempts count on each individual site was "acceptable", and Visa did not aggregate failed attempts the same "last 4" to recognize a distributed attack was in progress

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM