-
Notifications
You must be signed in to change notification settings - Fork 465
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Support for 8 digit bins on ISOUtil #496
base: tail
Are you sure you want to change the base?
feat: Support for 8 digit bins on ISOUtil #496
Conversation
Configured with the environment property ${jpos.util.bin.length}, it should be a comma separated list of bines. For example, if there are two 8 length bines "4000000" and "2000000", then this property should be: jpos.util.bin.length = 4000000,2000000 fixes jpos#475 Signed-off-by: Arturo Volpe <[email protected]>
According to PCI: The masking approach should always ensure that only the minimum number of digits is displayed as necessary to perform a specific business function. For example, if only the last four digits are needed to carry out a business function, mask the PAN so that individuals performing that function can view only the last four digits. While the intent of Requirement 3.3 is to display no more than the “first six and last four digits” of a PAN, an entity will be permitted to display more digits if needed but only with a documented business justification. The solution you provide Arturo is good, backward compatible, and easy to rollout, but we need to be aware that a documented business justification to configure these extended BINs. People may really don't need it. |
After a bit of googling, I found this page: https://src-gmbh.de/en/8-digit-bins-and-pci-dss/ It says that in PCI DSS v4.0 that requirement changes to:
So we can use this solution if we are aiming at PCI DSS v4.0, but I don't have the actual document so I can't confirm the validity of that information. |
The spec https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf in section 3.4.1
But it doesn't say the length of the bin. And I can't find any reference to the length of the bin. |
This FAQ further clarifies the masking: https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/What-are-acceptable-formats-for-truncation-of-primary-account-numbers/ This PR is compatible with that change. The only thing that I don't like is the name of the property, but I can't think of a better name |
BIN configuration, used to support 8-digit bin
Configured with the environment property ${jpos.util.bin.length}, it
should be a comma-separated list of bins.
For example, if there are two 8-digit bins "4000000" and "2000000",
then this property should be:
jpos.util.bin.length = 4000000,2000000
fixes #475
Signed-off-by: Arturo Volpe [email protected]