When it comes to the display of PAN data, it’s about 2 things:
- What’s the PCI DSS say?
- What does security best practice say?
What the PCI DSS says (Requirement 3.3):
Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN. This requirement relates to protection of PAN displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.4 for protection of PAN when stored in files, databases, etc.
This is the maximum that the DSS allows. More than that can be used to reconstruct the PAN.
What security best practice says:
If you don’t NEED to display first six and last four, then only display the last four. Less is always better. If you don’t NEED to, don’t store it and don’t show it.
Have additional questions about how the PCI DSS applies to your business? Contact Us. We’d be happy to help.