While displaying the first 4 (actually 6 plus the last 4) is allowed under PCI DSS, it would not be enough to identify a card if the holder has multiple cards from the same institution... I have 3 accounts (2 personal, 1 business) with the same bank. I just looked; all 3 carry the same first 8 digits on the card. Robert F. Porter, MCSE, CCNA, ZCE Lead Sr. Programmer / Analyst Laboratory Information Services Ochsner Health System This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
>>> "Anthony W. Youngman" [email protected]> 1/16/2010 5:37 PM >> ( >>> mailto:[email protected]> ) ... Certainly with Barclaycard/Visa, the *first* four digits are pretty much constant per the issuer. It's the last digits that vary most. So if you only display the *first* four digits, you will give enough info to the card owner for him to identify his card, but any attacker will only be able to identify the bank that issued the card. All Barclaycards, for example, begin with 4929 iirc (or they did, I think there are a couple of other variants around now). ... _______________________________________________ U2-Users mailing list [email protected] http://listserver.u2ug.org/mailman/listinfo/u2-users
