10.5 PCard Security

Card Number Validation

With the exception of GECF ePcards and Ghost Cards, all Procurement Card numbers are validated using a proprietary formula for the generation of a card number. PECOS P2P valuates the “correctness” of a number according to the respective card type proprietary format, using an algorithm known as the Luhn algorithm. This ensures that a PCard Number has been entered correctly.

PCI Data Security Standards

In an effort to improve security and comply with current PCI (Procurement Card Industry) Data Security Standards for the storage and transmission of cardholder data, a System Dynamic Option exists. This option allows organisations to select an option for masking card data in both the administration pages and the transmitted purchase order.

The following three security options are available:

Level 2 PCard Security

• The card number is masked in the Procurement Card Search popup window.
  
• The CVV2 field is masked in the Procurement Card admin page.
  
• The CVV2 field is masked in the Order Delivery and Invoicing page when adding/updating personal procurement cards. (Users can be allowed to dynamically enter personal procurement card data through the assignment of a dynamic option.)
• The CVV2 field is masked in the Requisition Delivery and Invoicing page when adding/updating personal procurement cards. (Users can be allowed to dynamically enter personal procurement card data through the assignment of a dynamic option.)
  

Level 3 PCard Security

• PO Template: the card number is always masked, even when being transmitted to the supplier.
• PO Template: the expiration date is masked.
• PO Template: the CVV2 is always masked, even when being transmitted to the supplier.
  

Level 4 PCard Security

• The CVV2 field is removed from the procurement card admin page.
• The CVV2 field is removed from the order delivery and invoicing page.
• The CVV2 field is removed from the requisition delivery and invoicing page.