What’s the best practice for masking or truncating PAN data?

When it comes to the display of PAN data, it’s about 2 things:

‍

What’s the PCI DSS say?
What does security best practice say?

‍

What the PCI DSS says (Requirement 3.3):

‍

Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN. This requirement relates to protection of PAN displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.4 for protection of PAN when stored in files, databases, etc.

‍

This is the maximum that the DSS allows. More than that can be used to reconstruct the PAN.

‍

What security best practice says:

‍

If you don’t NEED to display first six and last four, then only display the last four. Less is always better. If you don’t NEED to, don’t store it and don’t show it.

‍

Have additional questions about how the PCI DSS applies to your business? Contact Us. We’d be happy to help.

‍

What’s the best practice for masking or truncating PAN data?

When it comes to the display of PAN data, it’s about 2 things:

What the PCI DSS says (Requirement 3.3):

What security best practice says:

VIKINGCLOUD NEWS & RESOURCES

The PCI Point-to-Point Encryption (P2PE) Program

PA-DSS and PCI DSS: Beware the critical difference!

How Can Your PCI Compliance Efforts Ultimately Save Your Business Money?

ISO 27002:2022

“How Do I Report a PCI Violation?”

Managed Compliance Services

THOR AI: Reducing Cyber Risk for At-Risk Businesses

The PCI DSS, Chaining and the Franchise Relationship

How To Secure Your Software Supply chain

Internal vs. External Vulnerability Scans: Why You Need Both

VikingCloud Welcomes Jim Burke as New CEO

PCI DSS 4.0 - Risk vs. Requirement

The Top Generative A.I. Security Threats Facing the Restaurant Industry

How Do Cybercriminals Profit From My Stolen Data?

The Real Cost of Data Breach

Microsoft Ending Support for Windows Server 2003

What is an Endpoint Protection Platform?

What is Endpoint Detection and Response?

The 2019 PCI Compliance Annual Plan

Finding The Cure for Swelling Cyber-threats

EDR or SIEM: Which Should You Choose?

No Windows XP Support, No PCI Compliance?

Business Protection Services

3 Generative AI Security Risks Retailers Should Beware of

Spin the InfoSec Color Wheel - You Landed on Red!

Cyber Threat Unit Spotlight: Robin Divino

What in the World is a Qualified Integrator and Reseller?

PCI DSS L1 Bundles

Voice

PCI DSS v4 Transformation when using PCI DSS v3.2.1 validated TPSPs

P2PE – Don’t Lose Your Investment

PCI DSS 4.0 - Summary of Changes

Digital Certificates

PCI DSS 4.0: Multifactor Authentication

PTS POI v3 Device Expiration: Are You Ready?

VikingCloud to take seat at PCI SSC Global Executive Assessor Roundtable

VikingCloud Announces Industry’s First PCI L4 Compliance Program with Integrated Cyber Risk Score

VikingCloud welcomes Gabe Moynagh as new board advisor

Proactive Data Security

Avoid Audit Fatigue - Using Automation to Create an Efficient Compliance Framework (and Stay Sane)

How To Select A PCI Compliant Service Provider: Advice For Small Business Owners

Protecting Your Business from Phishing Attacks

PCI Compliance and the Service Provider

You’re Non-Compliant with PCI. Now What?

Security Incident Preparedness - Tabletop Exercises

Managed Security Services

In a comply-or-else industry, this payment solutions provider doesn’t just clear the bar, but surpasses the competition.

PCI DSS v4.0 - Removal of 'In Place with Remediation'

New “Backoff” Point-of-Sale Malware Alert

Distributed Denial of Service (DDOS) Attack – What can you do?

PCI DSS v4 – Are you using Disk Encryption?

Securing the End Zone: Achieving PCI Compliance Excellence for an NFL Franchise

Is PCI Compliance a Law? Should it be?

VikingCloud Announces Industry’s First Generative AI-Powered Chatbot Combining Real-Time Cybersecurity and PCI Compliance Intelligence

LockBit Redux: Ransomware Gang Demands $80M, Leaks CDW Data

NIST Cybersecurity Framework 2.0: A Deep Dive into the New Governance Function

ISO27001 vs. ISO27002

“Are ‘Knuckle Busters’ PCI Compliant?”

Cyber Threat Unit Spotlight: Chesley Moodley

What’s the best practice for masking or truncating PAN data?

“Does my backup services business need to be PCI compliant?”

Penetration Testing

Phishing 101: everything you need to know to protect your business

Staying PCI DSS compliant as the global payment landscape evolves

Threat Hunt that Uncovered Novel Malware

Cybersecurity’s GenAI Hype Cycle – and How to Break Out

Introducing PCI DSS 4.0

Connectivity Services

Programs for Acquirers, ISOs, and Processors

Will EMV Make You PCI Compliant?

Integrating CVSS 4.0 into VikingCloud Penetration Testing

VF Corp. discloses cyberattack on first day of new SEC rule

SEC Adopts New Rules on Cybersecurity Risk Management, Incident Disclosure, and Ransomware Payments by Public Companies

IMPORTANT LINKS

PCI DSS v4.0 Compliance: 5 Key Reasons to Define Roles and Responsibilities