PCI and Exception-Based Reporting
While all retailers are now familiar with the Payment Card Industry (PCI) Data
Security Standards (DSS), some are still working on how best to protect
cardholder data within their exception based reporting (EBR) application.
Ultimately, the answer on how this data will be protected may depend on
company-wide decisions or chosen protection methods. However, how your company
chooses to protect the data may affect your ability to also effectively utilize
reporting to detect exceptions.
The most common methods of cardholder data protection currently in use are:
Masking, Encrypting, and Hashing. Each of these techniques has its benefits and
limitations as they relate to their ability to provide adequate reporting within
an EBR application.
Masking is the method most consumers are familiar with since many retailers,
restaurants, etc., began "masking" credit card numbers on receipts, even before
PCI-DSS was a requirement. Masking involves "hiding" certain numbers within the
credit/debit card number. Businesses that mask credit/debit card numbers can
show up to the first 6 digits and the last 4 digits of the number, with all
digits in between "masked" (usually shown as "X" on a receipt).
While this method is the easiest to implement, and can provide valuable
information for the merchant, it has also been found to be the least "safe"
method for protecting cardholder data. Since the majority of credit/debit card
numbers most commonly used in the United States consist of 14-16 digits, a
hacker need only to identify 4-6 digits in order to obtain a complete, valid
credit/debit card number. Research suggests this can be accomplished in a matter
of a few hours.
Read more here.