Single use virtual card numbers
A new FAQ from Mastercard
Last month my ex-colleagues at Mastercard published a brilliant new FAQ about the protection of virtual card numbers in respect of Mastercard’s Site Data Protection (SDP) programmes - i.e. how processing virtual cards can affect merchants’ and service providers’ PCI DSS compliance. The FAQ addresses one of the most commonly asked questions in respect of single-use virtual card numbers (SU-VCN) and PCI DSS compliance.1
The tl;dr is that systems which store, process or transmit Mastercard SU-VCNs may be considered out of scope of the PCI DSS requirements IF:
The single use property of a SU-VCN is enforced by technical controls (i.e. it can only be authorised once — this control is probably at the issuer); AND
The systems deemed out of scope never store, process or transmit any other type of card data — such as a data from multi-use virtual cards or from traditional physical cards.
The FAQ rightly suggests that you should get a QSA’s help in determining this.
This is a great move from the SDP team at Mastercard because it clears up recurrent confusion. There was a previous Mastercard FAQ that was removed a few years ago, but which people still relied on (and even sent screen shots of it to argue a point). There’s much more to read in the new FAQ than just this part about SU-VCNs, and it is recommended.
Visa’s position
Visa published their guidance on the treatment of virtual card numbers in 2020.2
“Visa considers single-use virtual Visa account numbers and multi-use virtual Visa account numbers with Dynamic Card Verification Value 2 (dCVV2) out of scope for PCI DSS protection requirements based on the low risk of fraud associated with the account type.”
What the PCI SSC says, and the problem with words
You may be wondering why Visa and Mastercard both issue their own guidance on the applicability of PCI DSS to virtual cards. Whether a particular brand requires its card data to be protected by PCI DSS is a risk decision for each brand, and so falls within the competitive marketplace between the brands. This is why the PCI SSC FAQ 12853 that answers the question “Does PCI DSS apply to one-time or single-use PANs?” ties itself in knots by first saying:
PCI DSS applies to all primary account numbers (PANs) that represent a PCI SSC Participating Payment Brand.
But then goes on to contradict itself by saying PCI DSS might not apply …
Whether a one-time PAN is in scope for PCI DSS will depend on the particular restrictions around their usage as defined by the payment brands. Entities should contact the applicable payment brand to determine how PCI DSS applies. (my emphasis)
This is a hard problem to solve, because on the one hand the PCI SSC wants to make PCI DSS easy to understand with the simple message that PCI DSS applies wherever cardholder data is stored, processed or transmitted, but then it also has to be technically correct by saying that it only really applies to payment card data that a compliance-mandating entity4 says it applies to.
With the brands kind-of-not-requiring EMV chip data to be protected5 and definitely-not-requiring EMV token data to be protected,6 this messaging is sure to become more complex!
If you found this answer useful or informative, subscribing will encourage me to write more (and if you thought it rubbish, the converse is also true).
Compliance-mandating entities can be one of the PCI SSC payment brands, or a national scheme/brand such as NPCI, or even a national regulator.
Visa, Mastercard and American Express don’t require merchants that process a certain percentage of transactions via EMV terminals to “validate compliance”. I know that’s not exactly the same as not requiring compliance, but it shows the brands are less worried about this type of data being stolen.
See PCI SSC FAQ 1326 How does PCI DSS apply to EMVCo Payment Tokens? →
Hi John, love the site thank you for your great work! Any chance you have a source for item 5 above? All of our terminals are EMV terminals and I'd like to engage with our bank on this topic. Thank you!