8 digit BINs and PCI DSS

On April 1, 2022, the payment brands Visa and Mastercard will expand the BIN (Bank Identi­fi­cation Number) of their cards worldwide from 6 to 8 digits. In future, the first 8 digits of a 16-digit credit card number (Primary Account Number, PAN) will be used to identify the card issuer. The BIN is used in many occasions where the use of the full PAN is not necessary — e.g. for routing of trans­ac­tions, or for reporting.

BINs and PCI DSS 

Wherever a full PAN is used, the systems, environ­ments, processes and people must meet the require­ments of the data security standard PCI DSS (Payment Card Industry Data Security Standard). As useful as the protection of the PAN by the PCI DSS is – it is not necessary for the BIN. The PCI DSS therefore describes the condi­tions under which parts of the PAN do not require the same protection as the full PAN. If not the full PAN is stored, processed or trans­mitted, but only parts of it, the PCI DSS refers to “truncation”. If the full PAN is stored in the background, but not all digits are displayed in an appli­cation, the PCI DSS refers to the display as “masking”. In everyday life, the term “crossing out” is also used for the two different measures; from PCI DSS point of view, however, they have to be differentiated.

The following rules previ­ously applied to truncation and masking:

  • Masking: PCI DSS Requirement 3.3 states that a maximum of the first six and last four digits (“first 6, last 4”) of the PAN may be displayed, as long as there is no business need to view the full PAN.
  • Truncation: PCI DSS Requirement 3.4 lists truncation as an example of rendering PANs unreadable, but does not define it. The permitted formats are rather defined by the inter­na­tional payment card organi­za­tions and get summa­rized by the PCI SSC in FAQ entry #1091. Most of them had agreed on the rule “first 6, any other 4”, which had lasted for many years.

Changed rules for truncation and masking 

However, due to the switch to 8‑digit BINs and the need for many companies to process them, the payment brands have now changed their speci­fi­ca­tions. The current summary in the PCI SSC FAQ entry now defines that “first 8, any other 4” is permitted for truncation for 16-digit PANs. The (test) card number 4012888888881881 is then allowed to be stored and processed in the form 40128888xxxx1881, for example — it is suffi­cient if any four digits are crossed out after the BIN. Only for shorter PANs, the existing rules “first 6, any other 4” (Discover) or “first 6, last 4” (American Express) remain in place. A corre­sponding adjustment of the PCI DSS requirement for masking is expected with the change to PCI DSS v4.0.

From a security point of view, removing so few digits is not an improvement — but from a business perspective, the change is probably necessary. It is to be hoped that, overall, this will be offset by other security measures.
In any case, the require­ments of the PCI DSS will not prevent the use of 8‑digit BIN in the future.

Caution when combining different formats 

Regardless of the length of the BIN, merchants and service providers who work with truncated card data should take care not to weaken the protection by mixing different formats.

  • It must be considered that the extended truncation formats only apply to 16-digit PANs. The length of the PAN must therefore be taken into account for truncation during storage.
  • Truncation formats such as “first 6, any other 4” theoret­i­cally allow the existence of different truncated versions of the same PAN. The above card number might be stored as 40128888xxxx1881 in one system and 401288888888xxxx in another. This is not prohibited — but it must be ensured that no one without an according business need can merge the two versions and thus recon­struct further digits of the PAN — right down to the complete card number.
    This also applies if different formats are used for masking and truncation.
  • If both truncated PANs and the hash values of PANs are stored in an environment, the two values themselves are initially uncritical. However, if the truncated PANs and their hash values can be related, the original full PAN can be easily recon­structed using rainbow tables. In this case, additional measures must also be taken to prevent the two versions from being merged.

PCI DSS v4.0 is coming — an overview

The PCI DSS (Payment Card Industry Data Security Standard) is well known as a compre­hensive data security standard for payment card data of the inter­na­tional payment brands. The Payment Card Industry Security Standards Council (PCI SSC) keeps revising the standard throughout the years to address evolving risks and threats to payment data, to keep pace with the ever changing IT and payment landscape, and to reinforce security.
The PCI SSC has been working on the new, funda­men­tally revised version 4.0 of the standard for a long time now. After three RFC phases throughout the years, the new version will now be officially published on the PCI SSC website in March 2022.
Several changes have already been announced and are listed hereafter.

New validation options 

PCI SSC plans to add more flexi­bility to the standard. Tradi­tionally, the intended way of fulfilling a PCI DSS requirement is to follow it word by word. Now, the PCI SSC plans to add a choice: For nearly each requirement, an entity can either choose the tradi­tional way of fulfilling it word by word, or they can use a customized validation.
For each requirement in the standard, the objective that is intended to be reached with it will be given. If an entity thinks that they want to use another way of meeting this intention than following the requirement word by word, they can document how they do this. This includes a risk assessment to verify the appro­pri­ateness of the customized way. This documen­tation, including the risk assessment, is then provided to the assessor, and the assessor identifies suitable testing proce­dures to verify the imple­men­tation of the customized controls.

Requirement changes

To make sure PCI DSS compliance is kept up throughout the year, additional require­ments are announced by the PCI SSC, e.g. the necessity for

  • Defin­ition of roles and respon­si­bil­ities for all PCI DSS relevant topics; and for
  • Regular verifi­cation of PCI DSS scope.

In addition, existing require­ments will be adapted to threat and security evolvement. Changes to require­ments on the following topics are forecasted:

  • Authen­ti­cation requirements,
  • Detection mechanism and awareness measures for ongoing threats, and
  • Risk assess­ments.

Also the use of 8‑digit BINs will need to be addressed (see our blog entry).
Of course, the exact details of changes can only be given after the final publication.

Transition process

The PCI SSC has announced a transition period of two years, plus additional transition time for completely new requirements.

So after publi­cation in March 2022, take your time to read the new PCI DSS version, identify the changes, and under­stand the impact on your environment. Use this year to plan migration to PCI DSS v4.0 and decide when is the right moment for your entity to switch from version 3.2.1 to 4.0.

Your PCI DSS consultant or assessor can help you under­standing the intention of changes, your need for migration, and the validation require­ments. Please do not hesitate to contact them. If you do not have direct contact to a PCI DSS expert, please contact SRC’s PCI DSS respon­sible.

To get a first overview of the changes to the standard, you can also join our free PCI DSS v4.0 webinar on 20th of April: Register here.

5G Security High Assurance

SRC specialist Oberender | 5G Security High Assurance

As part of the CAST forum hot topic: 5G Security, SRC specialist Oberender will give a presen­tation on 5G Security High Assurance. The CAST workshop is hosted by BSI unit SZ32 and will take place online on November 11, 2021.

5G technology will define digital life in Germany in the future and thus its security features directly protect the integrity of society and its citizens. The test procedure currently being developed by BSI is to consist of three parts: a test based on the 3GPP defined SECAM Evalu­ation Method­ology TS 33.916, which is being refined at BSI as a Technical Guideline. Possible further tests will use the Accel­erated Security Certi­fi­cation (ESC) and the Common Criteria (CC) certi­fi­cation scheme. The security assessor’s perspective here is quite unique. SRC has extensive experience in all testing methods and will provide insight into the advan­tages and disad­van­tages of the testing methods with regard to the testing of 5G and 6G commu­ni­cation platforms in this presen­tation. Dr. Jens Oberender presents the different test methods SECAM, BSZ and CC for the approval of 5G security and discusses their objec­tives and focus.

Mobile networks in Germany are currently entering their next evolu­tionary stage with 5G technology. This process is accom­panied by security require­ments and related certi­fi­cation activ­ities. Germany needs secure and sovereign infra­struc­tures for commu­ni­ca­tions. Security features such as relia­bility and avail­ability are essential factors for Germany’s economic devel­opment. The CAST workshop hot topic: 5G-Security provides an overview and outlook on the current status of 5G-Security and its future development.

BSZ Certificate

SRC recog­nized as test center for accel­erated safety certi­fi­cation (BSZ)

On 01 October the “Accel­erated Security Certi­fi­cation (BSZ)”, the new certi­fi­cation procedure of the German Federal Office for Infor­mation Security (BSI) has started. Already on September 28, SRC was recog­nized by the BSI as a testing body for this new procedure. Sandro Amendola is head of the department Standard­ization, Certi­fi­cation and Security of Telecom­mu­ni­cation Networks at the BSI. On behalf of the BSI he handed over the certificate of recog­nition to Peter Jung, who is respon­sible for the BSZ at SRC.

Accel­erated Security Certi­fi­cation is the BSI’s new light­weight procedure for certi­fying the security of IT products. In contrast to a CC certi­fi­cation, a certi­fi­cation according to BSZ has several advan­tages: a consid­erably lower documen­tation effort, a signif­i­cantly shortened imple­men­tation and thus a lower cost.

The certi­fi­cation scheme follows a risk-based approach. In this process, the security perfor­mance of the IT product is tested by a recog­nized testing body such as SRC within a fixed timeframe using confor­mance and penetration tests to determine its security perfor­mance and its resis­tance to attacks.

The user also benefits. He receives compre­hen­sible documen­tation of the security perfor­mance and the promise that any vulner­a­bil­ities that occur are guaranteed to be remedied within the certificate’s validity period.
“After SRC has already carried out the first successful evalu­ation according to BSZ, we are very pleased about the recog­nition as a test center for this innov­ative certi­fi­cation scheme that has now taken place” says Peter Jung as repre­sen­tative of the test center and topic respon­sible for the Accel­erated Security Certi­fi­cation BSZ at SRC.

SRC was one of the first test centers to be recog­nized for BSZ. SRC performed the evalu­ation of the LANCOM-1900EF, the first certified BSZ product ever.

DLT for IT service providers in the banking environment

SRC expert Botermann | DLT for IT service providers in the banking environment

Crypto assets based on blockchains move many states, companies and the world of banks and their IT service providers.

Distributed ledger technology (DLT for short) is the term used to describe the technology of “distributed cash ledgers”. The key difference: trans­ac­tions are legit­imized in a decen­tralized manner and stored with the partic­i­pants. As a disruptive technology, DLT makes numerous inter­me­di­ation and clearing points redundant. Banks are threatened with the loss of their position as anchors for trust­worthy transactions.

But this is precisely where the prospects for future business models lie, since it is precisely the banks that tradi­tionally have expertise in the safekeeping of confi­dential infor­mation. The decisive technical trust anchor of every trans­action via DLT is the customer’s private key. The trusted management of this private key may prove to be a perspective for the evolution of banks’ business models.

To summarize: DLT appli­ca­tions offer IT service providers in the banking environment good oppor­tu­nities to adapt their own business models and also position themselves for the future. Services in the crypto custody business can be seen as a suitable entry point, which can be expanded and supple­mented in the future.

How can business models in the banking environment be adapted to these devel­op­ments? What oppor­tu­nities does the crypto custody business offer? What technical and regulatory require­ments must be met?

In the articles DLT for IT service providers in the banking environment (german), crypto custody business: starting point for business field expansion (german) and crypto custody business as a business area expansion for banks (german) published in gi GELDINSTITUTE and on cash.online, SRC expert Dr. Benjamin Botermann gives an insight and overview of challenges, oppor­tu­nities and stopler stones of the crypto custody business with distributed ledger technology (DLT).

The SRC experts will follow the exciting devel­op­ments in the field of cryptocur­rency and digital euros for you and support you in the realization of your crypto­custody business. We will be happy to inform you about the possi­bil­ities to get involved in this innov­ative sector.

Kick-off for the Digital Euro

Kick-off for the Digital Euro

After long and intensive discus­sions at the European level, the starting signal for the digital euro was given on 14 July 2021. First, core questions on the impact on financial stability and monetary policy as well as on the legal framework and a possible technical imple­men­tation will be clarified within the framework of a two-year study phase. The goal of the intro­duction of the digital euro is still to meet the “needs of the people in Europe” and to serve as a supplement to already estab­lished payment procedures.

A final decision on the design of the digital euro is then expected after the study phase in mid-2023.

“We will enter into a dialogue with the European Parliament and other European decision-makers and inform them regularly about our findings. Individuals, merchants and the payments sector will also be involved,” said Fabio Panetta (Member of the ECB Executive Board and Chair of the Digital Euro Task Force).

Results of the practical test

The preparatory basis for the landmark decision was the results of a practical test phase over nine months, which examined, among other things, technical aspects of distributed ledger technology (DLT for short), data protection, anti-money laundering and the use of existing systems (e.g. TARGET Instant Payment Settlement — TIPS for short). Energy aspects of possible archi­tecture concepts were also inves­ti­gated with the aim of limiting energy consumption to well below the current require­ments of known cryptocur­rencies, e.g. Bitcoin.

Focus on data protection

Consumer protection and data protection aspects are central aspects of the discussion about the digital euro, in addition to the technical imple­men­tation. For consumers, the digital central bank money repre­sents a direct claim against the central bank, which under certain circum­stances can be limited by a cap in the “wallet”. The compe­tition of the digital euro with cash becomes clear in the discussion about the anonymity of payments. It seems clear that — also with a view to combating money laundering — there will be no completely anonymous digital euro.

Assessment of the German Banking Industry

In a statement, the “Deutsche Kreditwirtschaft” empha­sises the digital euro above all in its preser­vation of the monetary sover­eignty of the Eurozone. The digital euro is assessed as a forward-looking means of payment in a digital economy, which coher­ently comple­ments the existing and proven systems and struc­tures. The aim should be to achieve the greatest possible synergies with existing payment solutions so that access to the digital central bank money can be secured for end consumers. There is a consensus that digital­i­sation is changing payment trans­ac­tions and that the ECB must carefully design the digital euro to ensure financial stability. In order to implement the envisaged activ­ities, high invest­ments are inevitable for both the insti­tu­tions and the economy.

Will cryptocur­rencies become more than specu­lative objects?

Estab­lished cryptocur­rencies such as Bitcoin and Co. are gaining impor­tance as specu­lation objects in asset management, but they are currently rather meaningless in payment trans­ac­tions. Never­theless, the ongoing discussion about private cryptocur­rencies, e.g. Diem from the Facebook universe, has certainly driven the discussion about the Digital Euro.

The SRC experts follow the exciting devel­op­ments in the field of cryptocur­rency and the Digital Euro for you and support you in the reali­sation of your crypto custody service. We will be happy to inform you about the possi­bil­ities to get involved in this innov­ative sector.

CASH.DIGITALWEEK 2021 // Webinar: Cryptocurrencies create market opportunities for banks and financial service providers

CASH.DIGITALWEEK 2021 // Webinar: Cryptocur­rencies create market oppor­tu­nities for banks and financial service providers

In a webinar at CASH-DIGITALWEEK 2021, our expert Dagmar Schoppe will explain how cryptocur­rencies can create new market oppor­tu­nities for banks and financial service providers. The date for the webinar is Thursday, 9 September 2021 at 11:00.

Banks and financial service providers tradi­tionally have not only the technical compe­tences to process trust­worthy business trans­ac­tions, but also the necessary expertise to implement regulatory require­ments. This can be used well as an entry point into the market for services related to cryptocur­rencies, because it is precisely the rapidly growing interest in cryptocur­rencies that opens up growing oppor­tu­nities for credit insti­tu­tions to become active in this market and to serve customers here as well.
For this, it is necessary that the insti­tu­tions increase their visibility in this new market segment. Only in this way can they then respond to enquiries from customers, traders as well as service providers. Corporate customers thus also have the oppor­tunity, for example, to offer cryptocur­rencies they have issued themselves or to optimally support their customers’ digital business processes using blockchain technology. With the support of banks and financial service providers, corporate clients can further advance the digital­i­sation of their business processes.

The SRC experts are following the exciting devel­op­ments in the field of cryptocur­rency for you. During the webinar “CASH.DIGITALWEEK 2021 // Webinar: Cryptocur­rencies create market oppor­tu­nities for banks and financial service providers”, Dagmar Schoppe, Head of Banking Compliance at SRC, will explain possible strategies and answer partic­i­pants’ questions.

SRC provides expert opinion for Gematik's E-Rezept

SRC provides expert opinion on e‑prescription for gematik

IT security plays a special role in the digital­i­sation of the healthcare system. In the context of the intro­duction of the electronic prescription (e‑prescription) for which gematik is respon­sible, the security of all compo­nents will be tested by independent experts approved by gematik.
The intro­duction of the e‑prescription and the e‑prescription app started on 1 July 2021. By then, data security for patients, doctors and pharma­cists had to be ensured. In order to check the security of these appli­ca­tions in their daily work, gematik, with the approval of the Federal Office for Infor­mation Security, commis­sioned several expert opinions to test the appli­ca­tions. Some of these expert opinions were prepared by the experts of the SRC. The result: Nothing stands in the way of a controlled commis­sioning into production operation. The appli­ca­tions can be integrated into the telem­atics infra­structure (TI).

The prereq­uisite for the test phase that now follows is the security assessment, in which the SRC assessors were involved for two compo­nents. SRC employees have been accredited as experts by gematik since 2014 and have assessed the identity provider service of RISE as well as the specialist service e‑prescription of IBM. gematik published the summary of the expert reports prepared by the SRC experts on its website on 1 July 2021.

In the test phase that has just started, the e‑prescription is now being tested in everyday practice in the model region of Berlin-Brandenburg. Here, practical findings on the inter­action of all compo­nents involved in the e‑prescription are to be collected first. The nationwide intro­duction of the e‑prescription is being prepared for the 4th quarter of 2021.

Every person with statutory health insurance can use their NFC-enabled electronic health card (eGK) with the corre­sponding PIN for the e‑prescription. The eGK is issued as standard by the statutory health insurance funds to their insured persons.
From 2022, the e‑prescription will be oblig­atory for all those insured by the statutory health insurers, but private health insurers have already made clear their interest in partic­i­pating in the e‑prescription. For the time being, private health insurers can decide volun­tarily whether to issue the eGK to their insured.
“The intro­duction of the e‑prescription and the associated app is undoubtedly a milestone for the digital­i­sation of the German health system. At SRC, we are a little proud to have contributed to securing this solution with our work,” says Randolf Skerka, Head of IS Management at SRC.
“This assessment was charac­terised by smooth and intensive coordi­nation with the manufac­turers RISE and IBM as well as gematik. Only in this way was it possible to ensure the high quality in the short time available,” says Dr. Jens Putzka on behalf of all colleagues involved at SRC.

LANCOM 1900EF

Lancom 1900EF VPN Router receives first Accel­erated Security Certi­fi­cation (BSZ)

The BSI has granted LANCOM Systems GmbH the first certificate according to the new BSI scheme “Accel­erated Security Certi­fi­cation” (BSZ for short). In this pilot procedure, SRC evaluated the security features of the Lancom 1900EF VPN Router and finally recom­mended approval to the BSI.

LANCOM has already had the security of its solutions tested and confirmed or certified by SRC in many proce­dures using Common Criteria evalu­a­tions or penetration tests. With the pilot evalu­ation for the BSZ, the BSI, LANCOM and SRC have jointly set a further standard for the certi­fi­cation of IT security solutions, with the aim of achieving time-to-market certification.

The Accel­erated Security Certi­fi­cation (BSZ) allows manufac­turers to have their products evaluated and certified by the BSI within a specified period of time. The evalu­ation must be carried out by a test centre recog­nised by the BSI. With the BSZ, the total effort of the evalu­ation, in comparison to e.g. Common Criteria evalu­a­tions, is prede­ter­mined from the beginning (fixed time). This allows manufac­turers to estimate the expected effort well.

When designing the attack scenarios, the BSZ allows the evalu­ators a relatively large leeway. This test catalogue must be presented to the BSI exten­sively and in detail. This design leeway demands an above-average degree of expertise, care and creativity from both the evalu­ation facility insti­tution and each individual evaluator. The test catalogue and the final evalu­ation in the test report draw on a broad know-how of cryptog­raphy, penetration tests, protocol attacks. The imple­men­tation by the manufac­turer is evaluated by the test centre and the respon­sible persons at SRC have to defend this against the critical view of the BSI.

“Accel­erated security certi­fi­cation will certainly play a major role, especially in the field of IOT devices,” says Gerd Cimiotti, Managing Director of SRC Security Research & Consulting GmbH. Like Lancom and the BSI, he expresses his thanks for the profes­sion­alism on all sides with which this pilot procedure was ultimately brought to a successful conclusion.

Ralf Koenzen, founder and managing director of LANCOM Systems GmbH, gives the manufacturer’s perspective: “When you do something for the first time, the effort is always greater. It is precisely then that you feel the experience and expertise of a partner like SRC as orien­tation and noticeable relief.”

As a long-standing partner of the BSI, SRC has already carried out a large number of projects in the most diverse approval schemes. SRC is currently in the process of being recog­nised as a test centre for accel­erated security certification.

We would also be happy to accompany your accel­erated security certi­fi­cation. If you have any questions about the BSZ, please do not hesitate to contact us.