Question
The maskedNumber
field appears in the BankingAccount
response schema. This is used for example in the Get Accounts API response. The maskedNumber
is defined as the masked version of the account number, such as BSB/Account Number, Credit Card PAN or other account identifier.
Is there any additional requirement around the sensitive data masking to achieve compliance with standards such as PCI DSS especially for Credit Card?
Answer
All masking requirements are explicitly stated in CDS Common Field Types (search for 'masked').
The Data Standards Body has taken the position that we do not want to introduce PCI compliance issues into the Consumer Data Right implementations.
The masked version is derived from the unmasked version of the account number field in the account details end point.
Convention CDS-DC-004 provides a recommendation on masking of credit card numbers.
See:
Comments
0 comments
Please sign in to leave a comment.