Question

Within the BPAY scheme, some billers have used a PCI Credit Card Number (PAN) as the Customer Registration Number(CRN). This data is returned as part of transaction detail, and, as part of returning Payees.
Under PCI compliance a PAN should not be transmitted.

For a Transaction, if the CRN were a PAN, sending the CRN is optional and should not take place. Alternatively, it should be masked according to PAN masking rules.

For Payee, sending a PAN allows for payment instruction portability (from the customer perspective), and this would be an appropriate business use under our CDR obligations.

Please clarify the circumstances under which a PAN CRN should be sent.

Answer

There was an overarching decision for CDR to exclude communication of PANs so that there was no prospect of Accredited Data Recipients and Data Holders being required to make their implementations PCI compliant, due to the implementation costs.  This does impact payment instruction portability, but this was seen as an appropriate trade-off.

If you look at the guidance in the standards for fields such as accountNumber, cardNumber, /crn, etc you will see that there are notes that PANs should be masked. The MaskedPANString field under Common Field Types is used to make this clear.

See:

• Convention CDS-DC-0004 Masking Credit Card Numbers
• Masking of Consumer Data Right data
• CDS BankingAccountDetail
• CDS BankingBillerPayee
• CDS Common Field Types, MaskedPANString
• July2020-1.3 Consumer Experience: Primary Account Number (PAN)
• Masking sensitive data in transaction description detail
• Masked Number and PCI Compliance
• Masked account number