PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes, including Visa, MasterCard, American Express, Discover, and JCB. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) or by a firm specific Internal Security Assessor (ISA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called control objectives.
Each version of PCI DSS has divided these twelve requirements into a number of sub-requirements differently, but the twelve high-level requirements have not changed since the inception of the standard. See table 1 below.
TABLE 1PCI DSS RequirementsControl objectivesPCI DSS requirementsBuild and maintain1. Install and maintain a firewall configurationa secure networkto protect cardholder data2. Do not use vendor-supplied defaults for systempasswords and other security parametersProtect cardholder3. Protect stared cardholder datadata4. Encrypt transmission of cardholder data acrossopen, public networksMaintain a5. Use and regularly update anti-virus software onvulnerabilityall systems commonly affected by malwaremanagement6. Develop and maintain secure systems andprogramapplicationsImplement strong7. Restrict access to cardholder data by businessaccess controlneed-to-knowmeasures8. Assign a unique ID to each person withcomputer access9. Restrict physical access to cardholder dataRegularly monitor10. Track: and monitor all access to networkand test networksresources and cardholder data11. Regularly test security systems and processesMaintain an12. Maintain a policy that addresses informationinformationsecuritysecurity policy
Payment Card Numbers
A payment card number, or simply a card number, is the card identifier found on payment cards, such as credit cards and debit cards, as well as stored-value cards, gift cards, and other similar cards. In some situations, the card number is referred to as a bank card number. The card number is merely a card identifier and does not identify the account to which it is linked by the issuing company, nor does it identify the cardholder. The card number identifies the issuer of the card, which is then electronically associated by the issuing organization with one of its customers and then to the customer's designated bank accounts. In the case of stored-value type cards, there is no necessary association with a particular customer. Card numbers are allocated in accordance with ISO/IEC 7812. The card number is usually prominently embossed on the front of a payment card.
The payment card number differs from the Bank Identifier Code (BIC/ISO 9362, a normalized code—also known as Business Identifier Code, Bank International Code, and SWIFT code). It also differs from Universal Payment Identification Code, another identifier for a bank account in the United States.
The leading six digits of the card number is the issuer identification number (IIN), sometimes referred to as the bank identification number (BIN). The remaining numbers on the card are referred to as the primary account number or PAN. IINs and PANS have a certain level of internal structure and share a common numbering scheme set by ISO/IEC 7812.
Payment card numbers can be up to 19 digits, as follows:                A six-digit Issuer Identification Number (IIN), the first digit of which is the Major Industry Identifier (MII);        A variable length (up to 12 digits) individual account identifier; and        A single check digit calculated using the Luhn algorithm.        
Primary Account Number (PAN)
The 14, 15, or 16-digit number that appears on the primary account holder's credit card. Often, the primary account number (PAN) is also called the account number. If the account has a secondary account holder, the secondary user's credit card may have a secondary account number, or both users' cards may use the primary account number, depending on the credit card issuer's policy. In contrast, a business credit card account might have a primary account number that does not appear on any employee's credit card, and secondary account numbers that appear on each employee's card.
The very first digit is called the major industry identifier and it identifies the type of credit card. American Express cards start with a 3, Visa cards start with a 4, MasterCard cards start with a 5, and Discover cards start with a 6. Certain airline credit cards start with a 1 or 2, certain petroleum company cards start with a 7, and certain telecommunications and healthcare cards start with an 8.
The first six digits identify the credit card network associated with the card, such as 601100 for Discover cards. The last digit is a checksum number, which helps prevent criminals from creating fraudulent credit card numbers. The numbers in between the first six digits and the last digit uniquely identify the customer's account.
Credit card companies, such as Visa, ask merchants to take precautions to protect customers' primary account numbers. One such guideline is called PAN truncation. Visa says that merchants are not required to store full account numbers because doing so presents a security risk if there is a data breach. In the United States, a federal law called the Fair and Accurate Credit Transactions Act of 2006 prohibits merchants from printing more than the last five digits of a cardholder's account number on a receipt. Merchants are also prohibited from printing the card's expiration date.