0

I am using an ecommerce website that accepts and stores CC information. In the webpage, they show only the last 4 digits (which is perfectly fine). But when I intercept the request/response, I could see the complete CC number as part of one API response. Anyways they don't show security code/CVV.

  1. Does sending complete CC number to end user violate PCI compliance?
  2. What are the issues this might cause? I could think of only one scenario - If the account is compromised, attacker can get the complete card number and he can brute force the CVV or use the number on sites that doesn't require CVV.
Improve this question
1
  • Is this in relation to a “saved cards” kind of page? Or during the payment itself? Commented Apr 8, 2019 at 23:15

1 Answer 1

Reset to default
1

It sounds like you are saying that the web application masks the user's credit card, but that masking is only in the client-side UI; the server passes the full card back to the user at the API level.

I don't think this is technically a violation of the PCI DSS, because it is in fact masking displayed data, but it's clearly a violation of best practices and I would not be surprised if a QSA found it to be a violation. Most stores are very careful never to "play back" the full PAN to a user, in case an attacker manages to get access to the account.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.