PCIDSS masking bank account number

4.3k views Asked by At

I am just curious, do PCIDSS regulation requires us to mask the bank account number? i know that credit card numbers need to be masked, but how about bank account number?

Thanks for the answer in advance

1

There are 1 answers

1
Oleg Dubas On

No, even with the latest PCI-DDS 3.0 you don't have to mask bank account numbers to be PCI compliant.

All they care about is Cardholder Data, in particular - PAN (Card Number). PAN must be stored encrypted (strong encryption, like AES-128 + KEKs and Keys Management) and masked everywhere it's displayed.

Anything else - including cards expire dates, addresses, bank routing and account numbers - literally, everything besides PANs (excluding CVC code and magnetic strip data [which you can not store under any circumstances]) - you can store in open form, and even display it everywhere and still be PCI compliant.

On the other hand, there's common sense. For security you should encrypt and mask the bank account numbers as well. They can be compromised too, and it won't bring you any good times.