diff --git a/src/_secureaccesstokenauthorizer/resource.py b/src/_secureaccesstokenauthorizer/resource.py
index 9c4d60ec8ac7ab1b24d3189e19983884f1cd2779..bab22f4eb0f39a28321b18ce13017296e10346c8 100644
--- a/src/_secureaccesstokenauthorizer/resource.py
+++ b/src/_secureaccesstokenauthorizer/resource.py
@@ -101,7 +101,9 @@ class _PaymentReferenceNumberCollection(Resource):
         prn = payload[u"payment-reference-number"]
         if not isinstance(prn, unicode):
             return bad_request().render(request)
-        if not prn.strip():
+        if len(prn) != 44:
+            # TODO.  44 is the length of 32 bytes base64 encoded.  This model
+            # information presumably belongs somewhere else.
             return bad_request().render(request)
         try:
             urlsafe_b64decode(prn.encode("ascii"))
diff --git a/src/_secureaccesstokenauthorizer/tests/test_client_resource.py b/src/_secureaccesstokenauthorizer/tests/test_client_resource.py
index d8a8d6852832bdd9ef4e167932e0b59cda65ae2f..3c1216b6f48fc13a55bf50c0d9c345b3999c36e9 100644
--- a/src/_secureaccesstokenauthorizer/tests/test_client_resource.py
+++ b/src/_secureaccesstokenauthorizer/tests/test_client_resource.py
@@ -137,6 +137,7 @@ def not_payment_reference_numbers():
         ),
     )
 
+
 def is_urlsafe_base64(text):
     try:
         urlsafe_b64decode(text)
@@ -145,7 +146,6 @@ def is_urlsafe_base64(text):
     return True
 
 
-
 def invalid_bodies():
     """
     Build byte strings that ``PUT /payment-reference-number`` considers