What Does It Mean to Mask a PAN?

When handling cardholder data, one of the most sensitive pieces of information you will process is the PAN – the primary account number – which runs along the front of credit and debit cards and identifies both the card issuer and cardholder account.

PANs are unique cardholder identifiers, meaning that cybercriminals are able to commit serious acts of fraud – from making purchases to creating false ID.  As unique identifiers for individuals, PANs are also considered personal data (or personally identifiable information; PII) subject to and to be protected in line with personal data protection regulations, such as the EU’s GDPR.

Masking PANs and restricting access to full PANs is crucial because it limits exposure of sensitive information to only those who absolutely need to see it. By displaying only the last four digits of the PAN (or the maximum number of allowable digits as defined in the PCI DSS), you reduce the likelihood of misuse - whether through insider threats or external attacks. Even if paper records are lost or stolen or system consoles left unlocked and accessible to unauthorized individuals, the masked PANs displayed are largely useless to bad actors.

As such, masking displays of PAN, therefore, is an essential process for all merchants to follow, and it’s a key part of broader PCI DSS compliance requirements. Failing to adhere to PCI compliance and to secure this information effectively could not only result in customers falling prey to fraud, but also cause you serious reputational and financial damage.

In this guide, we’ll explore why PAN masking is a major feature of PCI DSS, some best practices we recommend you follow, and how VikingCloud can help you keep this sensitive information safe.

Understanding PAN Masking in PCI DSS

PAN masking means concealing some digits of the 14-to-19 digit PAN so that it is incomplete and therefore unusable. In the context of PCI DSS 4.0.1, all entities with displays of PAN on screen, on paper receipts, on printed or handwritten records, etc. must take steps to ensure full PANs are visible only to those with a legitimate business need to see full PAN, with all others able to see only masked PANs, as per requirement 3.4.1.

Requirement 3.5.1, meanwhile, also requires data handlers to ensure PANs are unreadable when stored electronically, again, preventing criminals from using the data even if they successfully steal it.

PAN masking applies to data processed and displayed digitally and that which is shown on physical receipts and other paper copy. For example, after purchase, you may produce a paper receipt containing some of the customer’s PAN – but not the entire number string. We explore this in more detail below.

Adhering to PCI DSS means companies avoid not only creating stressful, potentially life-altering scenarios for their customers, but also receiving heavy fines and restrictions imposed by processors (such as Visa and Mastercard).

Beyond this, the consequences as a result of failing to mask a PAN could lead to customers and/or processors taking legal action, a severe downturn in revenue due to loss of buyer trust, and long-lasting reputational damage.

Taking a step back, it’s actually advisable not to store cardholder data at all unless you have good reason to. While you should still take steps to encrypt cardholder information in transit, if you avoid storing the data, you will have fewer compliance steps to take and offer much lower risk of sensitive details falling into the wrong hands.

PCI DSS Requirements for PAN Masking

PCI DSS requires that only personnel/roles with a legitimate need can be allowed to view displays (on screen or on paper) of more than the BIN (the Bank Identification Number - a payment card’s first six to eight digits, which identify the financial institution that issued the card) and last four digits of the PAN.

For everyone else, PANs must be masked; whereby a segment of the PAN is concealed so that the masked PAN shows at most only the BIN (the first six to eight digits) and the last four digits. Specifically, PAN masking applies to PANs shown or displayed on device screens, physical documents, and receipts, as well as any relevant displays of PAN in storage.  

Business need or function should determine not only who has a need to see full PAN but also your masking approach.  As good practice apply masking to display the minimum number of digits needed to achieve the business purpose; for example, if the last four digits are all that is needed for a call center agent to confirm the purchaser’s payment card in order to process their refund, then mask the PANs to only display the last 4 digits.  Fully mask the PAN if your order fulfilment team only needs to know that a customer order is paid for before shipping but doesn’t need to see any details of the customers’ cardholder data.  

Note that we are talking about cardholder data here, specifically the PAN.  While the PCI DSS does allow for PANs to be stored and displayed (on the basis of legal, regulatory or business need), some elements of account data cannot be held after processing.  None of the elements of sensitive authentication data (SAD), that is the security elements of a payment card used to verify the identity of the cardholder and/or authorize payment card transactions, may be stored after authorization.  This includes the data contained on a card’s magnetic stripe or chip, the card verification codes (the three-digit or four-digit numbers printed on the cards) and a cardholder's PIN and 'PIN block'.  If SAD is received, such as full track data at the POS, card verification codes by e-commerce web servers or mail order forms, that SAD it must be rendered unrecoverable upon completion of the authorization process.

PAN Masking vs. Truncation: What’s the Difference?

PAN masking relates to protection of PAN when it is displayed or shown on device screens, on printouts or other hard copy paper media.  PAN masking involves concealing (masking) a segment of a PAN when displayed or printed and is used so that only those with a legitimate business need can view displays of the full PAN.

PAN truncation relates to protection of PANs that are electronically stored (for example, in scanned forms, text files, spreadsheets, databases, etc.).  PAN truncation involves removing a segment of a PAN.  Truncation is one of a number of options specified in PCI DSS Requirement 3.5.1, which requires PAN to be rendered unreadable anywhere it is stored.  Similar to PAN masking, the starting baseline for the maximum number of PAN digits that can be retained after truncation is the first 6 and last 4 digits but acceptable PAN truncation formats vary by card brand.

Masking and truncation are not synonymous terms.  Masking comprises the concealing of certain PAN digits during display or printing; the entire PAN may still be electronically stored on a system.  In which case, those electronic stores of PAN must still be rendered unreadable in accordance with PCI DSS Requirement 3.5.1.  The masking requirement to conceal PAN digits shown on screens or displays enables businesses to configure PAN masking based on user role within a system: perhaps showing the full PAN to users with a supervisory role based on their legitimate business need, with customer services agents seeing only the last 4 digits.   The capability to do that will depend on how the business chooses to render their stored electronic PAN unreadable (requirement 3.5.1).

Truncation, as one of the methods available to meet requirement 3.5.1, actually removes the truncated digits.  Other methods to render stored PAN unreadable include one-way hashing, index tokens (tokenization) and strong cryptography (reversible encryption).  Truncation is a one-way process – it is not possible to ‘un-truncate’ to recover the missing digits of truncated PAN, the full PAN would need to be re-obtained or re-created from another source.  Therefore, as truncated digits cannot be retrieved it would also not be possible to display the full PAN to users of a systems that stores truncated PAN, even where there was a legitimate business need for them to see the full PAN.  The act of truncation of the stored PAN has resulted in the masking of PAN digits on displays, but note that good practice is to display the minimum number of digits needed to perform the specific business function, so further masking of PAN digits when displaying truncated PAN may be needed.

Best Practices & Methods for PAN Masking

We always advise our customers to avoid PAN storage, purely to reduce the risk of sensitive data getting stolen and the chances of you breaching PCI DSS.  If you don’t store PAN, then the requirements relating to the protection of stored PAN in Requirement 3 do not apply.  But if you do retain PAN, such that it may be displayed on paper or on screen, then access to view the full PAN must be restricted to only those people/roles with a legitimate business need to see it.  Everyone else must only be able to see a masked PAN.

For PAN displayed on screen, this can mean utilizing role-based access controls and other system or application capabilities to limit access to viewing full PAN.  Only those individual users assigned a role granted access to view full PAN based on a defined business need, will be able to view full PAN.  All other users will see masked PAN, with the number of visible digits (from the maximum allowable first six to eight digits and the last four digits) determined by business need.

For PAN shown or displayed on hard copy media (paper), if or when display of PAN in either full or masked form is not required at all, then physical destruction of the media (or the physical segment of media displaying PAN) is recommended.  In line with requirement 9.4.6, that means destroying the media so it cannot be reconstructed such as by cross-cut shredding, incineration or pulping.  

Where there is a business need to display masked PAN on hard copy media, then physical removal and secure destruction of the digits to be masked is recommended.  This could require redesigning of forms to position PAN entry on the form in a place that enables easy removal of the relevant digits (e.g. at the very bottom of the form) and physical destruction.  

Redaction to obscure or ‘black out’ the PAN digits is also possible but not recommended on its own.  If it’s PAN that is handwritten in some cases or typed/printed in others, then black marker pen redaction will not always succeed in masking the PAN digits.  There can be issues of being able to ‘see through’ the document and hence see the redacted PAN digits, even when redacted on both front and back of the page.  Redaction also won’t help if the PAN digits are indented into the page.

The preferred approach when using this type of redaction is to redact the PAN digits on the original document and then photocopy or scan the redacted form.  Securely destroying the original and retaining only the copy document (as the copy won’t have the problems outlined above).

The methods used need to be robust enough that it can be shown in all cases to successfully mask the PAN such that any retained media can be considered to no longer contain cardholder data and hence no longer in scope for PCI DSS.  Which is why it’s worthwhile reaching out to a team like VikingCloud, who can help set up the most effective processes for your specific needs.

Conclusion

The bottom line on PCI DSS and cardholder data is simply don’t store PAN unless it’s necessary to meet the needs of your business. If, however, you have a need and do receive, create or have stored PAN, then you must protect that cardholder data and prevent its unauthorized exposure or fraudulent use.  Which includes masking the PAN digits to show the minimum number of digits necessary to meet your defined business need(s), wherever PANs are displayed on screens or on paper. Otherwise, your PCI DSS assessment could find you are violating some critical data handling policies and procedures.

VikingCloud can help you keep all the sensitive data you handle and store secure against some of the most sophisticated emerging threats. Need our help with masking PANs, scanning for vulnerabilities, or simply improving your security posture? Contact us now for a free consultation.

References and guidance:

PCI DSS 4.0.1 in particular Section 2 PCI DSS Applicability Information, and in the requirements and guidance under Requirement 3.4 Access to displays of full PAN and ability to copy PAN are restricted and Requirement 9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed.

PCI SSC FAQ 1492 How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs?

PCI SSC FAQ 1146: What is the difference between masking and truncation?

PCI SS FAQ 1091: What are acceptable formats for truncation of primary account numbers?