Welcome to the Consumer Data Right Support Portal

Check out our guides, browse through our FAQs, and post your own questions for Support.

New to the Consumer Data Right? Learn more

[ARCHIVE] Masked Account Number Follow

Avatar
Jarryd
  • Created:
  • Last edited:
  • Updated
Archived 2022-09-28 and contents moved to Masking guidance for CDR data.

Question

The GET Accounts API returns a masked account number in BankingAccount schema:

A masked version of the account. Whether BSB/Account Number, Credit Card PAN or another number

While the GET Account Detail returns an unmasked account number in BankingAccountDetail schema:

The unmasked account number for the account. Should not be supplied if the account number is a PAN requiring PCI compliance.

What is the rationale for disclosing the "unmasked number" for the get Account Details API?

The understanding was either to mask or unmask account numbers (of course the credit card/PAN PCI DSS compliance data will never be in the clear) consistently.

Answer

The real account number is sensitive and was limited to the more detailed scope.

The masked account number was included in the less sensitive scope to support the creation of user experiences where customer's need to select or view a list of accounts.

See

Comments

0 comments

Please sign in to leave a comment.