PCI compliance is not required
The Consumer Data Standards (CDS) API Endpoints are not intended to require PCI (Payment Card Industry) Compliance obligations for Data Holders (DH) or Accredited Data Recipients (ADR).
CDS masking requirements
CDR Rules, Schedule 2, Steps for privacy safeguard 12, Section 2.2, Information security controls, 3b, specifies that CDR data should be secured by masking. This implies that plain text Primary Account Number (PAN) or Credit Card numbers should not be provided in API responses. As a guiding principle, a PAN should always be masked in the CDR data provided by an organisation.
CDS masking requirements are explicitly stated in CDS Common Field Types, in fields whose names include the word 'masked'.
Masking Common Field Types
The CDS, Common Field Types provide field types that support the masking of PAN and account numbers:
MaskedPANString
MaskedAccountString
The descriptions of these field types specify the details of masking. if a field belongs to one of these types, it requires the value to be masked.
For example the response to GET Accounts uses the schema ResponseBankingAccountList, which in turn uses the schema BankingAccount. The field maskedNumber
is of Common Field TypeMaskedAccountString
, and masks theaccount number
according to the MaskedAccountString
description.
Masking uses lower case x
As specified in CDS, Common Field Types, MaskedAccountString
, and MaskedPANString
, masking uses a lower case x
. Using asterisks or characters other than x
for masking is not permitted.
Unmasked account number in authorisation flow
In the detailed scope of the GET Account Detail API, the more sensitive unmasked account number may be returned according to the BankingAccountDetail schema. During the consent flow, this allows consumers to see the unmasked account numbers of their own accounts, when authorising sharing of account data on the DH authorisation page.
The PAN may be unmasked during the authorisation flow, however, it must be masked during data sharing.
Masking credit card numbers
All Credit Card numbers should be masked as per the proposed DSB convention CDS-DC-0004.
Masking Payee details
The GET Payee Details endpoint includes a schema BankingDomesticPayee which refers to the Card Number associated with the Payees registration. This field is of type MaskedPANString
and masks the card number accordingly.
Masking Customer Reference Number (CRN)
PAN can be used for naming or reference purposes using BankingBillerPayee which includes CRN. If in this case, the contents of the CRN match the format of a PAN, then it should be masked according to theMaskedPANString
Common Field Type. This also applies to CRNs with less than six digits.
Masking sensitive data in transaction description detail
The CDS and CDR Rules do not have any specific information security requirements for description details beyond theaccount number
fields in the account payloads. The recommendation is for DHs is to abide by their standard business practices.
Masking Payee account numbers
Only Credit Card PANs are masked in payee data. TheaccountNumbers
of payees are not required to be masked.
Alpha-numeric account numbers
For scenarios where the term deposits held by a DH have alpha-numeric identifiers, the DSB recommends the following approach for returning accountNumber
and maskedNumber
fields within the BankingAccountDetailV2 response schema.
- Populate the
maskedNumber
field with a masked version of the alpha-numeric identifier. - Leave out the
accountNumber
field in the BankingAccountDetailV2 response as it is optional.
Comments
0 comments
Please sign in to leave a comment.