The most frequently cited and referenced part of PCI DSS relates to protection of cardholder data, mainly card number (PAN), cardholder's name and card expiration date.
Now, Dave Birch of
Consult Hyperion (one of the leading consultancies in the payments industry) as well as Mark Austin, head of contactless at Visa Europe, are saying that the information
"on the front of a bank card" is not... sensitive. At all!
Hm, the information on the front of your bank card is exactly the data PCI is making so much fuss about: PAN, cardholder name and the expiration date...
Merchant and payment device developers go through a lot of expense and effort to protect PAN, in particular. Why bother, if that data is easily available to anyone with an NFC phone.
Whilst we are on the subject, let's open another can of worms - do we really need PAN on the card? We had a lengthy discussion with MasterCard about that and they said... "Well, that depends." That was after we pointed to a Barclaycard
NFC sticker which is, essentially, a... contactless bank card. It has neither name, nor PAN, nor the expiration date on it. And works just fine.
On a related note, as part of our market research programme, for the past few months I have been attempting to pay in shops with my... Priority Pass. Not a single shop assistant ever (!) questioned that card. Some
noticed it doesn't have chip and suggested that I... use a mag stripe - "It's one of those American cards, init, mate?" Absence of Visa, MasterCard or Amex logo was never part of the conversations I had at the till.
To sum it up, my card card number is not a big deal. And I even don't need one. (The same goes for the card scheme logos, but that's a subject for another blog post).