Test Primary Account Number (PAN) Policy
Policy Owner: Assitant Treasurer, Customer Payments
Note: An owner must be a PCES-level manager.
This policy provides formally documented management expectations and intentions.
This document provides formally documented management expectations and intentions and is used to direct decisions and ensure consistent and appropriate development and implementation of processes, standards, roles, and activities.
The Payment Card Industry Data Security Standard (PCI DSS) states that production Primary Account Number (PAN) may not be used in non-production environments. Test PAN is a 15- or 16-digit number that is used to imitate production PAN in the United States Postal Service (USPS) non-production environments, and may or may not pass the Luhn formula. Test PAN may be self-generated or provided by an acquiring bank.
The purpose of this policy is to provide USPS employees and contractor staff with requirements related to the creation, management, and handling of Test PAN.
This document is used in conjunction with all IT and Security Policies, Processes, and Standards, including those listed in the Supporting Documentation section.
This policy applies to all Postal Service employees and contractors who need to use Test PAN in any capacity in any Postal Service non-production environment. Examples of Postal Service non-production environments include but are not limited to the following:
- Development (DEV)
- System integration testing (SIT)
- Customer acceptance testing (CAT)
- Training environments
The PCI DSS states that Production data (Production PAN) cannot be used for testing or development. Application testing in non-production environments that transmit, process, or store Test PAN must adhere to the following requirements:
- Production PAN must not be used in non-production environments.
- Test PAN:
- Must not be
- Used in production environments
- A copy of production PAN
- Must be tracked by the application where the PAN is used
- Creation and management must follow the Test PAN Creation
- Must not be
- Internally generated Test PAN may be used in non-production environments
only if it is requested, created, and issued or reissued as stated in the Test
PAN Creation Procedure.
- Externally provided Test PAN from outside sources or third parties (e.g., acquiring banks) may be used in non-production environments if its number and location are emailed to the IT CMO (with the Subject “Existing Test PAN”).
Payment Card Industry Data Security Standard (PCI DSS)
Access Supporting Documentation from ITWEB (Internal):
Access Supporting Documentation from USPS.com (External):
For access to the Test PAN Creation Procedure, contact the US Postal Service. See Publication 5, Let's Do Business for further information about local US Postal Service contacts.
|1.1.1||10.16.2015||Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 117383|
|1.2||07.22.2016||Changed "PCI PMO" to "IT CMO."
Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 195809