Applicability of PCI DSS to IBM Safer Payments
IBM® Safer Payments installations must be configured and operated in a way that ensures compliance with PCI DSS.
In payment card issuing, the Primary Account Number (PAN) is the defining factor to prevent fraud in a successful IBM Safer Payments operation.
PCI DSS compliance means considerable administrative work for Safer Payments licensees. A way to avoid these additional efforts is not to process and store any clear-text or encrypted PAN in Safer Payments. To achieve this, PAN numbers are hashed before they are sent to Safer Payments. Licensees who follow this path can ignore the PCI DSS specifications regarding their Safer Payments installation. This is a fairly viable approach unless you are a payment card issuer or its processor.
However, to use a partly hashed PAN throughout the whole Safer Payments installation is highly impracticable in card issuing fraud prevention. Safer Payments users need to see the clear-text PAN to retrieve additional information from other systems, talk to cardholders, analyze fraud patterns and trends, and so on. In addition, many fraud patterns can be detected and stopped only by including the PAN into Safer Payments decision models. Therefore, Safer Payments provides user access rights. For example, users with a legitimate need to work with the decrypted PAN can do so, whereas standard users see PANs only masked.