undefined | Better HN

0 pointspacketized8y ago0 comments

First six and last four are the limits for display set out by the PCI Security Standards Council. The things you should never store with the PAN are the PIN/PIN block or CVC/CVV.

https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storag...

0 comments

kyrra8y ago

While it complies with PCI standards, knowing first6+last4, plus contact information, you can be much more successful at phishing against the target.

First6 will give you ability to know the issuing bank of the card (so an email can be crafted to look like those banks emails). Plus last4 tends to be used by banks as a "hey, we know who you are!" when they send emails.

cjbos8y ago

You might need them to reverse or refund the transaction with some payment gateways. Or if you are going to settle the funds at a time after authorization when shipping

kevindqc8y ago

How does that work? If you can't store the CVC/CVV, how come I don't have to re-enter it when I re-order form say Amazon or Foodora? Or maybe I do have to enter it? Don't remember :|

joering28y ago

Most MSP (merchant service provider) gives you control over the details you personally want to capture to verify someone. The minimum and most insecure is simply approving card based on valid number! (Not even expiration date). Then you can enable EXP, CVV and AV (address verification). Fun tip about AV: your adres doesnt matter. There is so many spellings of "oak harbour drive apartment 2" that industry pretty much gave up on some smart AI knowing them all, it and only verifies the zip code (typical gas station card usage for credit cards: verification is your zip code)

davidgh8y ago

Address line 1 in AVS is still used, however, only the numeric portion of the address is checked. The AVS results will generally tell you the individual match results for the address line and the postal code, so you can have a full match or a partial match. Most merchants will allow you through with a partial match.

ratsz8y ago

A secure token is provided by the credit card processor that the vendor can safely store and reuse after the first successful transaction.

https://en.wikipedia.org/wiki/Tokenization_(data_security)

sib8y ago

They are registering the fact that you knew it and used it to ship to a specific address in a previous transaction in order to reduce fraud risk. They aren't submitting it with every transaction. (Assuming they are following the rules...)

AnssiH8y ago

Amazon, specifically, never asks for CVC/CVV in the first place.

It is not required for charging a card, it is for reducing fraud.

j / k navigate · click thread line to collapse