Card Data Proction Guideline For API Clients

     

    The document categorizes card data based on degree of sensitivity from the security perspective. The guideline enables you to adopt PCI-compliant card data protection practices and thereby protect yourself and your clients from the consequences of data breach.

    Introduction

    Contis is a PCI-DSS compliant organization and guarantees adherence of all security standards for card data generation, processing, storage and transmission.

    Contis offers API interfaces to clients and gives them access to confidential information for card processing. Hence, Contis strictly enforces security protocol on its API clients to protect them from the consequences of data breach like litigation, loss of money and reputation.

    Contis has classified various data based on the level of confidentiality (Table 1, Table 2 and Table 3) and prepared a guideline (Table 4) on how to preserve the data privacy in the systems and prevent any data breach incident.

    Contis recommends that every API client strictly follow the guideline and contact the Contis support team in case of any queries on data safety compliance.

    Classification based on data sensitivity

    Category Parameters Description
    Card Authentication Data PIN The four-digit, Personal Identification Number known only to the user for ATM/POS transaction
    PIN Block The block of data composed of PIN, PIN length and PAN data, used to retrieve the PIN
    CVV2 Three-digit number printed on the back of the VISA card
    PAN / VirtualCardNumber 16-digit Permanent Account Number of the card/ virtual card number, used for e-commerce and online transactions
    Magnetic Strip Data Known as "Full Track Data", it is the encoded data stored in the magnetic strip at the back of the card for transaction authorization
    m-PIN Four to six-digit Mobile PIN needed to log into the mobile
    Category Parameters Description
    API Configuration Data 3DES PIN IV key Used for encryption and decryption of the PIN number during PIN retrieve function call
    3DES PIN Secret Key Used for encryption and decryption of the PIN number during PIN retrieve function call
    Hash PAN key Used to generate hash PAN number from clear PAN
    SecurityKey The security key provided by Contis to every API user after login. Used to generate Hash using Hashdatastring method
    Token The authentication key generated after successful login to the API account. Used to call other API methods.
    DeviceToken The unique string that individually identifies each mobile device
    API Authentication Data Username Username needed to login to API account
    Password Password needed to access the API Account
    VerificationCode The verification code for the cardholder's main mobile number, which is used to verify the cardholder’s mobile phone number
    Card Activation Code The three-digit card activation code used to activate the card
    Scheme Client Account Number The main or master account of client in a scheme
    ContisUniqueReferenceID On successful registration, Contis returns a unique reference ID from Contis system for the ClientSSOReferenceNumber provided by the client
    ClientSSOReferenceNumber The client-filled unique SSO reference value, used for Contis SSO service integration
    Hash A security feature used by Contis to prevent confidential data access and modification. It is generated by security key and hashdatastring.
    HashDataString Contains the linked object field's data, which is used to generate Hash. Refer API document for more information
    Token The authentication key generated after successful login to the API account. Used to call other API methods.
    DeviceToken The unique string that individually identifies each mobile device
    Account Data Account Number Cardholder’s eight-digit account number
    BankAccountNumber The number used in domestic bank transfer transaction.
    IBAN International Bank Account Number used in international bank transaction
    BIC Bank Identifier Code used in international bank transaction
    Personal Data MobileNumber Mobile number of cardholder
    Landlinenumber The landline number of cardholder
    Passportnumber The passport number of the cardholder
    DrivinglicenceNumber The driving license number of the cardholder
    Nationalidcard The national ID card number of the account holder
    SocialSecurityNumber The four-digit social security number
    DOB Date of birth of cardholder
    Address Address of the cardholder
    Display Name The name of the Cardholder printed on the card
    Card Data CardIssueDate The date on which card has been issued
    CardID Contis specified CardID number to refer the card
    CardHolderID Contis specified ID of the Card holder
    ObscuredCardNumber The card number with visible first and last four digits and obscured middle digits for data protection
    Expiry Date Card expiry data
    Hash Card Number Hash card number derived using MD5 algorithm, PAN (16-digit card number) and Hash PAN Key provided by Contis

    PCI DSS

    Payment Card Industry (PCI) is an autonomous body.. It was set up by major card brands like VISA, American Express, MasterCard, Discover and JCB for world-wide adoption of Data Security Standards (DSS). The body frames and encourages adoption of regulations for safe processing, transmission and storage of card data. PCI DSS applies to all the merchants, processors, acquirers, issuers and service providers involved in the card payment processing. Payment brand and acquirers are responsible for enforcing the PCI DSS compliance.

    Contis is bound by PCI DSS regulations and encourages you to adopt the best practices. See table 4 on what "not to do" and "to do" for card data protection in line with the PCI data safety norms.

    Cardholder data protection best practices

    To Do

    • Destroy all authentication data after processing
    • Use strong cryptography to render all stored cardholder data unreadable
    • Confirm compliance of your payment terminals with PCI PIN
    • Store security keys in a secure area in the system to prevent its misuse
    • Understand entire card transaction flow to know where to implement appropriate security measures
    • Notify concerned authority if you receive full card number (unmasked). If received by mail note the source and delete the mail from the system
    • Wipe off the data from hard drive before disposing.
    • Install latest anti-virus and update it regularly
    • Store paper record of card payment (if necessary) in a secure place and destroy in authorised shredder when required
    • Create strong user access passwords and change them regularly to prevent unauthorized access
    • Carry out regular scrutiny of users log details to detect any unusual activity
    • Encrypt transmission of cardholder data over Internet and Intranet

    Not To Do

    • Do not store authentication data (Table 1) even if encrypted after authorization
    • Do not store data of the track on the magnetic strip or the chip
    • Do not store Card Validation Value (CVV) used to validate card-not-present status
    • Do not place servers and other card storage devices in unsecured place
    • Do not permit unauthorized access to secured data storage
    • Do not print cardholder information when not needed. If required, ensure PAN is masked or truncated.
    • Do not store payment card data in laptops, smartphones, PCs and other personal devices
    • Do not send or receive any card data through email, SMS, private messenger services and social media
    • Do not create paper records of card data, if not necessary
    • Do not store cardholder data in the server connected to Internet
    • Do not use vendor-provided default usernames and passwords
    • Do not store any card data, unless absolutely required

    Consequences of Data Breach

    Was this page helpful to you?