Card data protection guidelines for API clients

The document categorises card data based on the degree of sensitivity from the security perspective. The guidelines enable you to adopt PCI-compliant card data protection practices and thereby protect yourself and your clients from the consequences of data breach.

Introduction

Contis is a PCI-DSS compliant organisation and guarantees adherence of all security standards for card data generation, processing, storage and transmission.

Contis offers API interfaces to clients and gives them access to confidential information for card processing. Hence, Contis strictly enforces security protocol on its API clients to protect them from the consequences of data breach, such as litigation, loss of money and reputation.

Contis has classified various data based on the level of confidentiality (Table 1, Table 2 and Table 3) and prepared a guideline (Table 4) on how to preserve the data privacy in the systems and prevent any data breach incident.

Contis recommends that every API client strictly follows the guidelines and contacts the Contis support team regarding any queries on data safety compliance.

Classification based on data sensitivity

HIGHLY SENSITIVE DATA

This type of data should not be stored anywhere in your system, even on an intermittent basis. The data should be processed in the real time as it is transmitted by Contis.

CategoryParametersDescription
Card Authentication DataPINThe four-digit, Personal Identification Number known only to the user for ATM/POS transaction
PIN BlockThe block of data composed of PIN, PIN length and PAN data, used to retrieve the PIN
CVV2Three-digit number printed on the back of the VISA card
PAN/ VirtualCardNumber16-digit Permanent Account Number of the card/ virtual card number, used for e-commerce and online transactions
Magnetic Strip DataKnown as ‘Full Track Data’, it is the encoded data stored in the magnetic strip on the back of the card for transaction authorisation
m-PINFour- to six-digit Mobile PIN needed to log into the mobile

SENSITIVE DATA

This type of data should be stored in an encrypted form and rendered unreadable. The security keys and encrypted data should be stored in a highly secure area, controlled by authorised access.

CategoryParametersDescription
API Configuration Data3DES PIN IV keyUsed for encryption and decryption of the PIN number during PIN retrieve function call
3DES PIN Secret KeyUsed for encryption and decryption of the PIN number during PIN retrieve function call
Hash PAN keyUsed to generate hash PAN number from clear PAN
SecurityKeyThe security key provided by Contis to every API user after login. Used to generate Hash using Hashdatastring method
TokenThe authentication key generated after successful login to the API account. Used to call other API methods
DeviceTokenThe unique string that individually identifies each mobile device
API Authentication DataUsernameUsername needed to login to API account
PasswordPassword needed to access the API Account
VerificationCodeThe verification code for the cardholder’s main mobile number, which is used to verify the cardholder’s mobile phone number
Card Activation CodeThe three-digit card activation code used to activate the card
Scheme Client Account NumberThe main or master account of client in a scheme
ContisUniqueReferenceIDOn successful registration, Contis returns a unique reference ID from the Contis system for the ClientSSOReferenceNumber provided by the client
ClientSSOReferenceNumberThe client-filled unique SSO reference value, used for Contis SSO service integration
HashA security feature used by Contis to prevent confidential data access and modification. It is generated by security key and hashdatastring.
HashDataStringContains the linked object field’s data, which is used to generate the Hash. See API reference for more information
TokenThe authentication key generated after successful login to the API account. Used to call other API methods.
DeviceTokenThe unique string that individually identifies each mobile device
Account DataAccount NumberCardholder’s eight-digit account number
BankAccountNumberThe number used in domestic bank transfer transaction.
IBANInternational Bank Account Number used in international bank transaction
BICBank Identifier Code used in international bank transaction
Personal DataMobileNumberMobile number of cardholder
LandlinenumberThe landline number of cardholder
PassportnumberThe passport number of the cardholder
DrivinglicenceNumberThe driving licence number of the cardholder
NationalidcardThe national ID card number of the account holder
SocialSecurityNumberThe four-digit social security number
DOBDate of birth of cardholder
AddressAddress of the cardholder
Display NameThe name of the Cardholder printed on the card
Card DataCardIssueDateThe date on which card has been issued
CardIDContis specified CardID number to refer the card
CardHolderIDContis specified ID of the Card holder
ObscuredCardNumberThe card number with visible first and last four digits and obscured middle digits for data protection
Expiry DateCard expiry data
Hash Card NumberHash card number derived using MD5 algorithm, PAN (16-digit card number) and Hash PAN Key provided by Contis

GENERAL DATA

The non-confidential data is stored in normal format in your system, but still covered by industry-compliant data protection policy and not for public use.

Data like Card Status (Lost, locked, Active, Inactive, Suspended, Cancelled, Frozen, etc.), HOSC, SWEAR, Agreement (Terms & Conditions), Scheme features, Card Design features/program, Communication templates, etc.

PCI DSS

Payment Card Industry (PCI) is an autonomous body. It was set up by major card brands like VISA, American Express, MasterCard, Discover and JCB for world-wide adoption of Data Security Standards (DSS). The body frames and encourages adoption of regulations for safe processing, transmission and storage of card data. PCI DSS applies to all the merchants, processors, acquirers, issuers and service providers involved in the card payment processing. Payment brand and acquirers are responsible for enforcing the PCI DSS compliance.

Contis is bound by PCI DSS regulations and encourages you to adopt the best practices. See table 4 on what “not to do” and “to do” for card data protection in line with the PCI data safety norms.

Contis is bound by PCI DSS regulations and encourages you to adopt the best practices. See Table 4 on what “not to do” and “to do” for card data protection in line with the PCI data safety norms.

Cardholder data protection best practices

Consequences of Data Breach

Contis warns that failure to adopt card data protection guidelines will lead to a data breach. If that happens, you may face the following consequences:

  • Termination of card processing privileges
  • Loss of reputation of your brand
  • Invite a forensic audit from compliance authority
  • Face client litigation
  • Take 90-120 days to implement remedial measures, which could throw your business out of gear