PCI compliance is not required
CDS masking requirements
CDR Rules, Schedule 2, Steps for privacy safeguard 12, Section 2.2, Information security controls, 3b, specifies that CDR data should be secured by masking. This implies that plain text Primary Account Number (PAN) or Credit Card numbers should not be provided in API responses. As a guiding principle, a PAN should always be masked in the CDR data provided by an organisation.
CDS masking requirements are explicitly stated in CDS Common Field Types, in fields whose names include the word 'masked'.
Masking Common Field Types
The CDS, Common Field Types provide field types that support the masking of PAN and account numbers:
The descriptions of these field types specify the details of masking. if a field belongs to one of these types, it requires the value to be masked.
For example the response to GET Accounts uses the schema ResponseBankingAccountList, which in turn uses the schema BankingAccount. The field
maskedNumber is of Common Field Type
MaskedAccountString , and masks the
account number according to the
Masking uses lower case x
As specified in CDS, Common Field Types,
MaskedPANString, masking uses a lower case
x. Using asterisks or characters other than
x for masking is not permitted.
Unmasked account number in authorisation flow
In the detailed scope of the GET Account Detail API, the more sensitive unmasked account number may be returned according to the BankingAccountDetail schema. During the consent flow, this allows consumers to see the unmasked account numbers of their own accounts, when authorising sharing of account data on the DH authorisation page.
The PAN may be unmasked during the authorisation flow, however, it must be masked during data sharing.
Masking credit card numbers
All Credit Card numbers should be masked as per the proposed DSB convention CDS-DC-0004.
Masking Payee details
The GET Payee Details endpoint includes a schema BankingDomesticPayee which refers to the Card Number associated with the Payees registration. This field is of type
MaskedPANString and masks the card number accordingly.
Masking Customer Reference Number (CRN)
PAN can be used for naming or reference purposes using BankingBillerPayee which includes CRN. If in this case, the contents of the CRN match the format of a PAN, then it should be masked according to the
MaskedPANString Common Field Type. This also applies to CRNs with less than six digits.
Masking sensitive data in transaction description detail
The CDS and CDR Rules do not have any specific information security requirements for description details beyond the
account numberfields in the account payloads. The recommendation is for DHs is to abide by their standard business practices.
Masking Payee account numbers
Only Credit Card PANs are masked in payee data. The
accountNumbersof payees are not required to be masked.
Alpha-numeric account numbers
For scenarios where the term deposits held by a DH have alpha-numeric identifiers, the DSB recommends the following approach for returning
maskedNumber fields within the BankingAccountDetailV2 response schema.
- Populate the
maskedNumberfield with a masked version of the alpha-numeric identifier.
- Leave out the
accountNumberfield in the BankingAccountDetailV2 response as it is optional.