I have a credit card saved in X merchant. I only see the last 4 digits in the UI.
I have launched a 3D secure payment transaction by using my saved card. Then I have noticed that even in the failed transactions browser posts back my stored credit card information (PAN's 6 chars masked + expiry date) to the X merchant's website.
IMHO this is a security risk. I would not do this as a developer. But what about PCI DSS? Is this complies with PCI DSS?
The first six and last four digits are the maximum number of digits that may be displayed.
Reference
It looks like PCI DSS allows displaying PAN like this. But I could not find any information about masking expiry date. That's the point I have no answers.
http://dlvr.it/S0QqNY
No comments:
Post a Comment