PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1091 Published

What are acceptable formats for truncation of primary account numbers?

This update includes minor clarifications about acceptable PAN / BIN lengths, as follows:

  • Adds UnionPay?s PAN / BIN formats to the table.
  • Reformats the table included in prior versions of this FAQ for readability.
  • Updates the PAN / BIN lengths for 16-digit PANs with 8-digit BINs for Mastercard and Visa.

Truncation is a method of rendering a full PAN unreadable by permanently removing a segment of PAN data and applies to PANs that are electronically stored, processed, and transmitted (for example, in files and databases).

Acceptable truncation formats vary according to PAN length and Payment Brand requirements. - A maximum of the first 6 and last 4 digits of the PAN is the starting baseline for entities to retain after truncation, considering the business needs and purposes for which the PAN is used. - When more digits of the PAN are necessary for business functions, entities should consult the table below for the acceptable formats for each Payment Brand.

| PAN / BIN Length | Payment Brand | Acceptable PAN Truncation Formats | | >16-digit PAN with
8-digit BIN | UnionPay | At least 6 digits removed. Maximum digits which may be retained:
17-digit PAN: ?First 6, any other 5?
18-digit PAN: ?First 6, any other 6?
19-digit PAN: ?First 6, any other 7? | | >16-digit PAN with
6-digit BIN | Mastercard
UnionPay
Visa | At least 6 digits removed. Maximum digits which may be retained:
17-digit PAN: ?First 6, any other 5?
18-digit PAN: ?First 6, any other 6?
19-digit PAN: ?First 6, any other 7? | | 16-digit PAN with
8-digit BIN | Discover
UnionPay | At least 6 digits removed.Maximum digits which may be retained:
?First 6, any other 4? | | Mastercard
Visa | At least 4 digits removed.Maximum digits which may be retained:
?First 8, any other 4” | | 16-digit PAN with
6-digit BIN | Discover
Mastercard
JCB
UnionPay
Visa | At least 6 digits removed.Maximum digits which may be retained:
?First 6, any other 4? | |
15-digit PAN | American Express
| At least 5 digits removed.Maximum digits which may be retained:
?First 6, last 4? | | Mastercard | At least 5 digits removed.Maximum digits which may be retained:
?First 6, any other 4? | | <15 digit PAN | Discover
Mastercard | Maximum digits which may be retained:
?First 6, any other 4? |

When using truncation formats for purposes other than storage, entities should confirm that their format is compatible with each of the applicable Payment Brands.

To determine whether a PAN has a 6- or 8-digit BIN, contact the acquirer or the Payment Brands. Contact information for the Payment Brands can be found in FAQ 1142 How do I contact the payment card brands?

Note: Access to different truncation formats of the same PAN greatly increases the ability to reconstruct full PAN, and the security value provided by an individual truncated PAN is significantly reduced.If the same PAN is truncated using more than one truncation format (for example, different truncation formats are used on different systems), additional controls should be in place to ensure that the truncated versions cannot be correlated to reconstruct additional digits of the original PAN.

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.