Following up on my blog post a few months ago entitled "PCI compliance, Security in isolated systems and Parking Tellers Part 1" - I took a brief look the other day at another Ticket issued by a Parking Teller in Luxembourg.

Updated :
  • Clarified some of the explanations
  • Masked Luhn number

The below is even worse than the examples in the previous post:
In the example above and similar to the first post of this series, the digits of the PAN chosen to be masked are contrary to PCI recommendations.

In this example that was discovered in a popular shopping mall in Luxembourg, the negligence goes further and includes the full expiration date of the credit card used (FIN VALID).

Now in order to understand why VISA required distinct parts of the PAN to be masked let's dive into what is commonly known as the PAN ("Primary Account Number") :

Format of a VISA PAN and associated BIN

As you see the PAN is split up into a BIN, Account Number and Checksum. Taking the receipt above you will see that  it gives away most of the "high" entropy parts of the PAN including the Luhn Checksum.

The country code indicates that this is a VISA card issued in Luxembourg, due to the very limited number of credit cards available in Luxembourg and due to way the card are issued this makes it trivial to reconstruct the BIN (misses one number, the 5) and with help of the Luhn checksum the possibilities of the remaining 3 masked digits can be further reduced.

Even more so if you are aware of the way the account numbers on those cards are generated in Luxemburg (this can be simply gathered by comparing several cards from several Luxemburgish bancs) the first 2 digits that immediately follow the BIN appears to be a reference to the Bank on which behalf the card was issued.

We can therefore say that the only relatively random masked part is just a single digit long. Combine this with the presence of a limited amount of bancs in Luxemburg and presence the luhn checksum and you have all you need.

Summa Summarum :
The recommendation to mask the last 4 digits makes sense, it has the most entropy and is the less likely to result in the reconstruction of the complete PAN. Now if only this could be followed by anyone.

Apart from that, if you combine this receipt with the ones collected in parking tellers in my original post you have all you need.

References :


Ingus said... @ 05 May, 2012 17:04

Well, a local cafe (another European country) had full card number on customer receipt. Told them it is not cool to do so. They never replied, however, after a month only last 4 digits appeared on customer receipt.

As there are requirements (PCI/Visa) there is always someone liable for such actions. If merchant is ignoring requirements, a bank that is processing their payments is liable for it as well. Ask your bank to issue a new card on their or visa's expense every time you get a faulty receipt. If they refuse - I'm betting that court will be on your side if it will be necessary to deny future payments done by this card.

As for collecting card numbers - I'm sure that putting skimmers or hidden cameras are still much more effective than dumpster diving for partial receipts. Most likely there is also less protection (staff education) than on ATM's.

EAP-TTLS said... @ 11 December, 2012 13:57

An access point (AP) is basically a network-capable device containing a transceiver and antenna for transmitting signals to and receiving signals from the remote clients. The access point thus provides a "point of access" to the wired network for the remote clients. The access points allow wireless clients to be quickly and easily connected to a wired LAN.

Post a Comment