Galileo prioritizes security by carefully handling PCI-sensitive data and personally identifiable information (PII):
- PAN
- expiry date
- CVV
- PIN
- U.S. Social Security number (SSN)
These values are encrypted while they are stored in the Galileo system, if they are stored at all. Galileo can provide some of these values to you if you are PCI compliant; otherwise, they are masked or replaced by spaces.
To become PCI compliant you must submit an Attestation of Compliance (AOC), which is a self-assessment questionnaire that measures an organization's conformity to Payment Card Industry Data Security Standards (PCI-DSS). Contact Galileo for more information on the different levels of PCI compliance and how you can fulfill the requirements.
The following values are affected by PCI compliance.
PAN
In most contexts, the PAN is masked by default such that only the first six and last four digits are visible, e.g., 452218XXXXXX3665. Galileo assigns a CAD to every PAN. If you are not PCI compliant, you can use the CAD to identify individual cards. Galileo recommends that you pass the CAD for accountNo
instead of the PAN, where permitted by the endpoint.
The full PAN is available as follows when you are PCI compliant:
- RDFs —
CARD NUMBER
- Program API —
card_number
- Create Account
- Create Virtual Card Account (never returns masked value)
- Add Account
- Get Card
- Get Account Cards
- Replace Lost/Stolen Card
Expiry date
The expiry date of a card is PCI-sensitive data only when it accompanies the full PAN.
- RDFs —
EXPIRATION DATE
- Auth API —
expiration_date
- Events API —
exp_date
- Program API —
expiry_date
CVV
The CVV is returned in the card_security_code
field of Program API endpoints only if you are PCI compliant.
PIN
Galileo never includes the PIN, masked or unmasked, in Program API responses, Events API messages, the Auth API, or the RDFs.
If you employ a Galileo PIN-set method in your interface, the PIN may pass through your system depending on the method:
- Direct render — PIN does not pass through your system
- Direct POST — PIN does pass through your system; PCI compliance required
If you want to provide the PIN to your cardholders, use the PIN Retrieval Service, which passes the PIN directly to the cardholder.
SSN
When passing the SSN in an enrollment endpoint, always use the id
input parameter. This value is masked by default unless you are PCI compliant. The contents of the id2
input parameter, on the other hand, are never masked. See Using the id
and idType
parameters for more information.
The SSN of an account holder is returned by these Program API endpoints only when the CINFN provider parameter is set:
-
ssn
-
id
whenidType: 2
In the Customer Master RDF, the SSN
field contains the SSN but not other values that you input for id
. If you are not PCI compliant, you receive only blank spaces. The contents of the ID2
field are not masked.