PCI Requirement 3.3 – Mask PAN when Displayed

by Randy Bartels / July 28th, 2017

What is PCI Requirement 3.3?

PCI Requirement 3.3 states, “Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.”

What is PAN?

The PCI DSS says, “The primary account number (PAN) is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements.”

Why should PAN be masked?

PCI Requirement 3.3 relates to the protection of PAN being displayed, not stored. If full PAN is displayed on computer screens, paper receipts, faxes, reports, or printouts, the data could be stolen by an unauthorized or malicious individual. They could use this information to make fraudulent transactions. By displaying the full PAN only to those with a business justification, your organization will minimize the risk of malicious individuals from stealing or having access to PAN data. Once again, we believe in the mantra of, “If you don’t need it, there shouldn’t be access to it.”

The PCI DSS says, “The masking approach should always ensure that only the minimum number of digits is displayed as necessary to perform a specific business function. For example, if only the last four digits are needed to perform a business function, mask the PAN so that individuals performing that function can view only the last four digits. As another example, if a function needs access to the bank identification number (BIN) for routing purposes, unmask only the BIN digits (traditionally the first six digits) during that function.”

What happens during a PCI assessment?

Your PCI assessor should take inventory of the individuals that would have a business need to see full PAN and what that business need is. If an individual does not need to see the data, an assessor needs to see that the information has been truncated, redacted, or masked. At a maximum, there should be no more than the first 6 and last 4 digits of the PAN being displayed to individuals that do not need to see it.

An assessor will also take inventory of all the places where cardholder data is displayed – this could be a call center, someone printing receipts, etc. Then, your assessor will look at the data to see that that full PAN has been truncated, redacted, or masked.

Learn more about all the PCI DSS requirements in our detailed video series, or contact us with any questions you may have about your organization’s PCI compliance.

“Once again, we go with the mantra of “If we don’t need it, there shouldn’t be access to it.” PCI DSS Requirement 3.3 if individuals do not need access to the full cardholder numbers, it’s expected that you mask that data. We’ll describe what that looks like in a few moments. As an assessor, what we’re going to be looking for is an inventory of the individuals within your organization that would need to see the full cardholder data. It’s often believed that a database administrator, because of the nature of what they’re doing, needs to see the full cardholder data; that’s often a misnomer. Just because a database administrator is a DBA, that doesn’t necessarily grant them the permissions to view cardholder data. What we’re looking for – and this kind of marries into Requirement 7 – is the role of the individual that might be viewing this cardholder data, and understand what it is about their job or function that requires them to view the full cardholder data. In situations where the individuals do not actually need to see the cardholder data, we’re going to look to see that that information is truncated or redacted or masked in some respect. At a maximum, there should only be no more than the first 6 and last 4 characters of the cardholder data being displayed to individuals that do not need to see it. If an individual needs to see it to support their business, that’s quite alright, there’s no problem with that. From an assessment perspective, the assessor is going to look at all places where the cardholder data is displayed. You might have a call center that’s viewing cardholder data, you might be printing cardholder data for receipts – there’s multiple places where this information might be displayed. Once we’ve received that inventory, we’re going to ask to physically look at that data to see that it’s either masked or truncated. Truncated means that we’ve actually moved the data, more than the first 6 or the last 4. Masking is actually how the data is displayed. “