What is the best practice when masking or truncating PAN data?
When it comes to the display of PAN data, it’s about 2 things:
- What’s the PCI DSS say?
- What does security best practice say?
What the PCI DSS says (Requirement 3.3):
Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN. This requirement relates to protection of PAN displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.4 for protection of PAN when stored in files, databases, etc.
This is the maximum that the DSS allows. More than that can be used to reconstruct the PAN.
What security best practice says:
If you don’t NEED to display first six and last four, then only display the last four. Less is always better. If you don’t NEED to, don’t store it and don’t show it.
For more information on PAN data storage and the PCI DSS, see my June 2015 PCI Compliance Guide post.
Have additional questions about how the PCI DSS applies to your business? Visit ControlScan.com or give us a call at 1-800-825-3301, ext. 2. We’d be happy to help.
Subscribe to this blog for additional payment security tips.