Applicability of PCI DSS and PA-DSS to Safer Payments

Safer Payments installations must be configured and operated in a way that ensures compliance to PCI DSS.

In payment card issuing the Primary Account Number (PAN) is the defining factor to prevent fraud in a successful Safer Payments operation.

PCI DSS compliance means considerable administrative work for Safer Payments licensees. An easy way to avoid these additional efforts is not to process and store any clear-text or encrypted PAN in Safer Payments. This can be achieved by hashing PAN numbers before they are sent to Safer Payments. Licensees following this path, can ignore the PCI DSS specifications regarding their Safer Payments installation. This is a fairly viable approach, unless you are a payment card issuer or its processor.

However, to use a partly hashed PAN throughout the whole Safer Payments installation is highly impracticable in card issuing fraud prevention. Safer Payments users need to see the clear-text PAN to retrieve additional information from other systems, talk to cardholders, analyze fraud patterns and trends, and so on. In addition, many fraud patterns can only be detected and stopped by including the PAN into Safer Payments decision models. Therefore, Safer Payments provides user access rights. For example, users with a legitimate need to work with the decrypted PAN can do so, whereas standard users see PANs only masked.