Test Primary Account Number (PAN) Policy
Policy Owner: Assistant Treasurer, Customer Payments
Note: An owner must be a PCES-level manager.
This document provides formally documented management expectations and intentions and is used to direct decisions and ensure consistent and appropriate development and implementation of processes, standards, roles, and activities.
The Payment Card Industry (PCI) Data Security Standard (DSS) states that production Primary Account Number (PAN) may not be used in non-production environments. Test PAN is a 15- or 16-digit number that is used to imitate production PAN in the United States Postal Service (USPS) non-production environments, and may or may not pass the Luhn formula. Test PAN may be self-generated or provided by an acquiring bank.
The purpose of this policy is to provide USPS employees and contractor staff with requirements related to the creation, management, handling, and destruction of Test PAN.
This document is used in conjunction with all IT and Security Policies, Processes, and Standards.
This policy applies to all Postal Service employees and contractors who need to use Test PAN in any capacity in any Postal Service non-production environment. Examples of Postal Service non-production environments include but are not limited to the following:
- Development (DEV)
- System integration testing (SIT)
- Customer acceptance testing (CAT)
- Training environments
The PCI DSS states that Production data (Production PAN) cannot be used for testing or development. Application testing in non-production environments that transmit, process, or store Test PAN must adhere to the following requirements:
- Production PAN must not be used in non-production environments.
- Test PAN:
- Must not be
- Used in production environments
- A copy of production PAN
- Must be tracked by the application where the PAN is used
|1.1.1||10.16.2015||Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 117383|
|1.2||07.22.2016||Changed "PCI PMO" to "IT CMO." |
Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 195809
|1.2.1||07.12.2017||Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 286566|
|1.2.2||07.30.2018||Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 386458|
|2.0||01.23.2019||Rewrites in all sections. Deletion of the Supporting Documentation section. CR 428468|