Frequently Asked Question

PCI DSS requirement 3.4.1 requires that the PAN be masked when it is displayed (for example, on screens, logs, reports, receipts), unless the viewing party has a specific business need to see the full card number. Business needs may exist to validate if the appropriate numbers were entered properly before completing the transaction (for example, for customers and customer service representatives).

Wherever PAN is accessed or displayed, other controls such as Time To Live (TTL) or webpage "timeouts" should be deployed in accordance with PCI DSS Requirement 8.2.8, so that the screen does not display the card numbers indefinitely. Additionally, as with all systems that transmit cardholder data over a public network, the website which displays the PAN should have strong encryption enabled to ensure the data is secured as it is entered and validated.