Prepare for 19-Digit Credit Cards
Visa will soon begin issuing the long rumored 19-digit credit card numbers. This shift to an extended Primary Account Number (PAN) could start as soon as February 2017. As a result, there could be a significant impact to the industry as a result of these changes.
Are 19-digit PANs New?
Many people assume that all PANs are 16 digits long. However, several card brands have always allowed for a fixed set of digits or a range of card numbers, with the most common being 16-digits. The table to the right shows issuers that allow up to 19-digit PANs. Several brands also allow for smaller PAN lengths. American Express (15 digits) is the most common among the shorter PANs. Some Diners Club, Maestro and Visa cards even allow for PANs between 12 and 14 digits.
|China UnionPay||16 - 19|
|16 or 19|
|InterPayment||16 - 19|
|Laser||16 - 19|
|Maestro||16 - 19|
|Solo||16, 18 or 19|
|Switch||16, 18 or 19|
|Visa||16, 18 or 19|
|Verve||16 or 19|
Potential Impact on Merchants and Service Providers
Merchants and Service Providers could be significantly impacted if the PANs length increases from 16-digits. They should consider the following situations:
- Application and Supporting Architecture Configuration: Many organizations have configured their applications, databases and security appliances (Data Loss Prevention, etc.) based on 15 and 16-digit card numbers. Source code may need to be revisited to ensure that pieces of the application architecture, such as web pages, input validation routines, business logic, and database fields are not limited to only 16 digits. In addition, testing performed during the development process, such as load and regression testing, will need to be updated to accommodate longer PANs.
- Card Truncation: If PANs are being retained, PCI allows for either the “last four” or the “first six and last four” of the PAN to be stored. Organizations will need to ensure that the correct digits are stored. For example, if the “first six and last four” are logged, an organization may accidentally store the wrong digits because of the extended length. As a result, the last three digits of a 19-digit card number would be completely missed.
- Hash Strength: Unfortunately, the addition of three digits will NOT significantly improve the security of card number hashes. The inherent risk of hash cracking using brute force techniques is still in place and the use of a salt or slow hash algorithm is recommended for additional security. However, the best option is still to not store Card Holder Data (CHD) in the first place.
- 16-Digit Checks: Many scripts, such as triggers/stored procedures, used for encryption and retention management are configured for 16-digit numbers. In addition, security tools like Data Loss Prevention (DLP) solutions, encryption software and data discovery software also hone in on the number of digits. Any place where this number has been fixed to 16, needs to be expanded.
Recommendations for PCI Assessors
There will not be a significant impact for Qualified Security Assessors (QSAs). The change in digits should not significantly impact assessment procedures, but will require QSAs to be a little more mindful when performing technical testing. For example, reviews of logs and databases cannot solely require checks for 16-digit numbers. Assessors should check for the full range of potential PAN digits (13 – 19 digits) using the Luhn (Mod 10) algorithm. Good news is that the Luhn algorithm is not limited by the number of digits and can handle checks greater (and smaller) than 16 digits.
In conclusion, an increase in PAN length could have a significant impact to Merchants and Service Providers. Many processes and procedures supporting PCI compliance efforts focus on card length. As a result, due diligence will be critical for updating systems to support this new change.
Published date:  28 November 2016
Written by:  Chris Gida