| ]

Following up on my blog post a few months ago entitled "PCI compliance, Security in isolated systems and Parking Tellers Part 1" - I took a brief look the other day at another Ticket issued by a Parking Teller in Luxembourg.

Updated :
  • Clarified some of the explanations
  • Masked Luhn number

The below is even worse than the examples in the previous post:
In the example above and similar to the first post of this series, the digits of the PAN chosen to be masked are contrary to PCI recommendations.

In this example that was discovered in a popular shopping mall in Luxembourg, the negligence goes further and includes the full expiration date of the credit card used (FIN VALID).

Now in order to understand why VISA required distinct parts of the PAN to be masked let's dive into what is commonly known as the PAN ("Primary Account Number") :

Format of a VISA PAN and associated BIN

As you see the PAN is split up into a BIN, Account Number and Checksum. Taking the receipt above you will see that  it gives away most of the "high" entropy parts of the PAN including the Luhn Checksum.

The country code indicates that this is a VISA card issued in Luxembourg, due to the very limited number of credit cards available in Luxembourg and due to way the card are issued this makes it trivial to reconstruct the BIN (misses one number, the 5) and with help of the Luhn checksum the possibilities of the remaining 3 masked digits can be further reduced.

Even more so if you are aware of the way the account numbers on those cards are generated in Luxemburg (this can be simply gathered by comparing several cards from several Luxemburgish bancs) the first 2 digits that immediately follow the BIN appears to be a reference to the Bank on which behalf the card was issued.

We can therefore say that the only relatively random masked part is just a single digit long. Combine this with the presence of a limited amount of bancs in Luxemburg and presence the luhn checksum and you have all you need.

Summa Summarum :
The recommendation to mask the last 4 digits makes sense, it has the most entropy and is the less likely to result in the reconstruction of the complete PAN. Now if only this could be followed by anyone.

Apart from that, if you combine this receipt with the ones collected in parking tellers in my original post you have all you need.

References :