Creditcard store first six digits PCI reference

Considering your questions indicate you are already processing card holder data, either by transfering PANs or storing (partial) PANs, you fall in the category of SAQ-D. So this means you should be already undergoing PCI audits (provided you have over 300k transactions annually), so best is to check with your QSA and see what they say.


The first 6 digits are not extremely sensitive information. They comprise the IIN or Issuer Identification Number (https://en.wikipedia.org/wiki/Bank_card_number). The last four digits are also not considered sensitive information. In fact the first six and last four are the maximum number of digits that are allowed to be displayed (see PCI DSS 3.3 https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf All other PCI number references come from this document).

However the EXP Date + PAN IS considered sensitive information. Page 2 of this document has a nice explanation of storage procedures (https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf).

In addition 3.4 applies in this case. You have rendered the number unusable through truncation (although the Luhn Checksum allows for the number to be guessable). However you must protect the EXP Date and it is recommended (note that it does not appear to be required) to not store the truncated PAN in plan text but to stack protection with one way hashing or encryption.


I you mixed the meaning of the different requirements and have a certain confusion.

Requirements 3.3 "Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)." talks about display not storage ! if you mask the PAN it provides a solution for this requirement.

Requirements 3.4 3.4 Render PAN unreadable anywhere it is stored ..." talks about storage not display !

You wrote "I need to store masked PAN" masked PAN is related with Requirement 3.3. and storage is related with requirement 3.4 to fulfill this requirement you can use one way hash / truncation / cryptography / token