PCI Requirement 3.3 – Mask PAN when Displayed
What is PCI Requirement 3.3?
PCI Requirement 3.3 states, “Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.”
What is PAN?
The PCI DSS says, “The primary account number (PAN) is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements.”
Why should PAN be masked?
PCI Requirement 3.3 relates to the protection of PAN being displayed, not stored. If full PAN is displayed on computer screens, paper receipts, faxes, reports, or printouts, the data could be stolen by an unauthorized or malicious individual. They could use this information to make fraudulent transactions. By displaying the full PAN only to those with a business justification, your organization will minimize the risk of malicious individuals from stealing or having access to PAN data. Once again, we believe in the mantra of, “If you don’t need it, there shouldn’t be access to it.”
The PCI DSS says, “The masking approach should always ensure that only the minimum number of digits is displayed as necessary to perform a specific business function. For example, if only the last four digits are needed to perform a business function, mask the PAN so that individuals performing that function can view only the last four digits. As another example, if a function needs access to the bank identification number (BIN) for routing purposes, unmask only the BIN digits (traditionally the first six digits) during that function.”
What happens during a PCI assessment?
Your PCI assessor should take inventory of the individuals that would have a business need to see full PAN and what that business need is. If an individual does not need to see the data, an assessor needs to see that the information has been truncated, redacted, or masked. At a maximum, there should be no more than the first 6 and last 4 digits of the PAN being displayed to individuals that do not need to see it.
An assessor will also take inventory of all the places where cardholder data is displayed – this could be a call center, someone printing receipts, etc. Then, your assessor will look at the data to see that that full PAN has been truncated, redacted, or masked.
Learn more about all the PCI DSS requirements in our detailed video series, or contact us with any questions you may have about your organization’s PCI compliance.