How would this sit with payment gateways from a PCI standpoint? An ideal custome...

brandonb · on March 19, 2013

Great question. We should add it to a FAQ. The PCI-DSS rules apply to systems that store the entire credit card number ("PAN" in PCI-DSS parlance). We don't accept the full credit card number -- just the first six digits (which identify the type of credit card and bank) and the last four (typically printed on receipts), which the PCI-DSS rules allow for. So if you're PCI compliant already, you'll still be PCI compliant if you use Sift Science.

beilabs · on March 19, 2013

Thanks for the information, I think I'll be in touch about an account in the next few weeks for a marketplace I'm developing.

Perfect timing too, I just started looking at our options for developing something similar internally.

Would love to see the systems that Etsy / Ebay for handling this type of fraud.

Volpe · on March 19, 2013

https://siftscience.com/docs/rest-api

There is no requirement in their api to supply CC details... so no requirement to be PCI.

So it would be weird if they did mention PCI...

The first 6 and the last 4 is not enough to make a valid CC... And if you are still guessing the last details then it's the same as just guessing the full number. (just you'll get their quicker)

alttag · on March 20, 2013

No, but 10 of 16 numbers that must conform to a checksum algorithm significantly reduces the search space to a point that a brute force seems trivial if other information is already possessed (e.g., zip code, or especially, cvv).

nwh · on March 20, 2013

The MyKi ticketing system in Australia prints the first 6 digits, last 4 digits, expiry date and full name on it's recepts. I mentioned to them in the past how easily it could be attacked, but the response was "nobody would do that".

Volpe · on March 24, 2013

Brute forcing "ALL" the credit card numbers is not hard... Limitiing the search space doesn't make it easier... it just saves a little bit of electricity.