Test Primary Account Number (PAN) Policy

PURPOSESCOPEPOLICYSUPPORTING DOCUMENTATIONREVISION HISTORY

Policy Owner: Assistant Treasurer, Customer Payments

Note: An owner must be a PCES-level manager.

This policy provides formally documented management expectations and intentions.

PURPOSE

This document provides formally documented management expectations and intentions and is used to direct decisions and ensure consistent and appropriate development and implementation of processes, standards, roles, and activities.

The Payment Card Industry (PCI) Data Security Standard (DSS) states that production Primary Account Number (PAN) may not be used in non-production environments. Test PAN is a 15- or 16-digit number that is used to imitate production PAN in the United States Postal Service (USPS) non-production environments, and may or may not pass the Luhn formula. Test PAN may be self-generated or provided by an acquiring bank.

The purpose of this policy is to provide USPS employees and contractor staff with requirements related to the creation, management, and handling of Test PAN.

SCOPE

This document is used in conjunction with all IT and Security Policies, Processes, and Standards, including those listed in the Supporting Documentation section.

This policy applies to all Postal Service employees and contractors who need to use Test PAN in any capacity in any Postal Service non-production environment. Examples of Postal Service non-production environments include but are not limited to the following:

POLICY

The PCI DSS states that Production data (Production PAN) cannot be used for testing or development. Application testing in non-production environments that transmit, process, or store Test PAN must adhere to the following requirements:

SUPPORTING DOCUMENTATION

Payment Card Industry Data Security Standard (PCI DSS)

Access Supporting Documentation from ITWEB (Internal):

Test PAN Creation Procedure

Access Supporting Documentation from USPS.com (External):

For access to the Test PAN Creation Procedure, contact the US Postal Service. See Publication 5, Let's Do Business for further information about local US Postal Service contacts.

REVISION HISTORY

Version
Date
Description
1.0 12.05.2013 Initial release
1.1 06.12.2015
  • Removed conflicting statement in Purpose about Luhn formula. (Any number passing a Luhn formula in a production environment may not be used in non-production environments.)
  • Replaced references to PCI PMO with Treasury to reflect organizational change.
  • Removed requirement to track Test PAN with PCI PMO. Application and Treasury are responsible for tracking.
  • All test PAN must be created and managed following the Test PAN Creation Procedure.
  • Updated PCI DSS 2.0 to 3.1.
  • The annual review for functional accuracy and current PCI DSS requirements has been completed. CR 80671
1.1.1 10.16.2015 Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 117383
1.2 07.22.2016 Changed "PCI PMO" to "IT CMO."

Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 195809
1.2.1 07.12.2017 Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 286566
Powered By OneLink