DQHubdqhub.io
Back to packs

PCI-DSS Payment Card Data

PCI_DSSfree

Validate payment card data — PAN Luhn check, masking compliance, expiration dates, and BIN format per PCI-DSS standards.

12 rules 1320 downloads4.0 avg (62)
pci-dsspaymentcardluhnmaskingbin
4.0(62 ratings)

Sign in to rate this pack

Test this pack with your data

Download the template, fill in your data, and see quality results instantly.

Test This Pack

Download & Install

Choose your tool — get a ready-to-run file

Run this on your data? Upload your CSV — we'll auto-map the columns, validate, and report the bad rows.Test my dataWant this certified on your data? Book a 30-min demo.Book a demo
Or use the CLI
$ npx dqhub install pci-dss-payments --format soda --table YOUR_TABLE

About this pack

Data quality rules for PCI-DSS compliance in payment processing. Covers: - PAN (Primary Account Number) Luhn validation - PAN masking verification (first 6 + last 4 only) - Card expiration date format (MM/YY) - BIN/IIN format validation (6-8 digits) Based on PCI-DSS v4.0 requirements for cardholder data protection.

Sources & References

BCBS_239 — Principle 2

Data architecture and infrastructure must use standardized reference data

What's included

6format rules
4completeness rules
1uniqueness rules
1range rules

Checks included (12)

PAN Luhn Check Digit Validation(pan)

Validates that Primary Account Numbers (PANs) pass the Luhn algorithm (mod-10 checksum). A PAN must be 13-19 digits long, and the last digit must satisfy the Luhn check. This is a fundamental validation for payment card numbers per PCI-DSS and ISO/IEC 7812.

PAN Masking Validation(pan_masked)

Validates that Primary Account Numbers (PANs) are properly masked per PCI-DSS requirements. Only the first 6 digits (BIN/IIN) and last 4 digits may be displayed; all middle digits must be masked with X or * characters. This ensures cardholder data is not stored or displayed in the clear.

Card Expiration Date Format(card_expiry)

Validates that payment card expiration dates conform to the standard MM/YY or MMYY format. The month must be between 01 and 12. This rule checks format validity; business logic for past-date checks should be applied separately at the application layer.

Bank Identification Number (BIN/IIN) Format(bin)

Validates that Bank Identification Numbers (BINs), also known as Issuer Identification Numbers (IINs), conform to the correct format. A BIN is the first 6 to 8 digits of a payment card number and identifies the issuing institution. Per ISO/IEC 7812, the industry migrated from 6-digit to 8-digit BINs starting April 2022.

ISO Currency Code Validation(currency_code)

Validates that values are valid ISO 4217 currency codes (e.g., USD, EUR, GBP, JPY)

Card Number Tokenization Check(card_token)

Validates that stored card numbers are tokenized and not raw PANs. Values must NOT match a 13-19 consecutive digit pattern. Tokenized values typically contain non-numeric characters or are fixed-length alphanumeric tokens.

Column Not Null

Asserts that a specified column contains no null values. This is the most fundamental completeness check — every row must have a value present in the target column.

Column Completeness Threshold

Asserts that a column meets a minimum completeness threshold, measured as the percentage of non-null values. Useful when some nulls are acceptable but the overall population rate must stay above a defined level (e.g., 95%).

CVV/CVC Not Stored(cvv)

Validates that CVV/CVC/CID security codes are never stored post-authorization. The column must be NULL or empty for all rows. Storing CVV is explicitly prohibited by PCI-DSS even if encrypted.

Sensitive Authentication Data Not Stored(track_data)

Validates that sensitive authentication data (full magnetic stripe, PIN blocks, CVV2) is not stored after authorization. These columns must be NULL or empty in all post-authorization records.

Column Unique

Validates that all non-null values in a specified column are unique. Useful for natural keys, email addresses, identifiers, and any column where duplicates indicate a data quality issue.

Card Data Retention Period Check(card_expiry)

Validates that stored card data has not exceeded its retention period. Card expiry dates older than the configured limit (default 10 years) should be flagged for deletion per PCI-DSS data retention policies.