PAN Masking for PCI Compliance: A Beginner’s Guide

Merchants are responsible for protecting cardholder data every time they accept credit and debit card transactions from their customers. This holds true whether the payment was made in person, online, over the phone, or part of a recurring subscription. 

But credit cards contain tons of sensitive information—info that can lead to fraud if there’s a data breach or it ends up in the wrong person’s hands. 

PAN masking is one of the many ways that businesses can protect customers and ultimately protect themselves from fines, penalties, and PCI compliance fees. 

If you’re unfamiliar with PAN masking and how it works, I’ll explain everything you need to know below.

What is a PAN Number?

PAN stands for “primary account number.”

This is the unique string of numbers displayed on a credit card or debit card—typically 16 digits for Visa, Mastercard, and Discover, and 15 digits for American Express cards. PANs are used to identify the card issuer, card type, and account holder. 

For example, all Visa cards start with the number “4,” and all American Express account numbers start with “37” or “34.” PAN numbers can also tell you the country where the card was issued and whether it’s a credit card, debit card, or prepaid card.

Most importantly, a PAN number ties a unique person or individual account to the card—allowing them to make purchases. If you’ve ever bought something online, you’ve likely entered your PAN number to complete the purchase. So if someone else has your PAN number, they can potentially make fraudulent purchases using your account. 

What is PAN Masking?

PAN masking is the practice of concealing the primary account number of a credit card or debit card from anyone who doesn’t have a reason to see it. Generic characters (like an “X” or dots) are substituted in place of the actual numbers—typically just displaying the last four digits of the card number.  

PAN masking can be applied for digital card storage as well as any physical instances where the card info might be displayed. 

For example, a credit card receipt from an in-store purchase will likely use PAN masking to ensure the full card number isn’t printed on the receipt. And if a credit card number is kept on file for repeat purchases, PAN masking can be used to ensure employees can’t actually view the entire card number. But if they were dealing with a customer, they’d be able to say, “We have your card on file ending “1234.”

How Does PAN Masking Work?

PAN masking requires your POS system, gateway, or terminal to be configured with specific requirements to conceal the PAN number.

To stay PCI compliant, only the first six digits of a card and the last four digits of a card can be displayed—the rest must be hidden to be considered PAN masking. 

For example, a card 1234 5678 9101 1121 displayed as 1234 56XX XXXX 1121 would be sufficient for PAN masking under PCI DSS requirements. 

Why is PAN Masking Necessary?

PAN masking is necessary for PCI compliance, which can lead to extra fees and potential penalties for merchants.

Costs aside, masking PAN numbers is necessary to protect your customers.

If you’re careless with their credit card numbers and other cardholder data, then it puts them at risk for fraud. A data breach could lead to someone stealing their account numbers and making fraudulent charges on their cards.

What’s the Difference Between PAN Masking and PAN Truncating?

The key difference between PAN masking and PAN truncation is that masking simply hides or conceals parts of the PAN number while truncating removes the numbers altogether. 

With PAN masking, the full primary account number could still be accessed behind the scenes. But with PAN truncation, those numbers are permanently removed—most commonly used for data storage. 

If you use truncation to protect cardholder data, then the numbers can’t be retrieved within your system once they’ve been removed.

How to Protect PAN Data in Credit Card Processing

There are several ways that merchants can protect primary account numbers and other PAN data when accepting credit cards. Here are the most common options. 

Masking

PAN masking hides or conceals part of the primary account number. For PCI compliance, the absolute maximum number of numbers that could be displayed would be the first six digits and last four digits—everything else must be masked.

Truncation

Truncation permanently removes numbers from the PAN. This is best for data storage, where the account number won’t need to be reused again for any additional purchases or on-file transactions. 

Tokenization

Tokenization is an advanced data protection method that replaces account numbers with another value (known as the token). The token alone is useless in the event of a data breach, which is why it’s commonly used to keep card data on file for future transactions. 

Encryption

Encryption uses cryptic algorithms and keys to transform PAN numbers into unreadable formats. Merchants should use encryption whenever cardholder data is transmitted over open public networks (including the internet). 

PCI DSS also requires encryption to be used whenever card data is at rest (aka in storage). This extends beyond PAN numbers and also applies to cardholder names, expiration dates, and CVV numbers.

One-way Hashing

One-way hashing converts PAN numbers into a unique data string. Unlike encryption (which can be decrypted when the data reaches its destination) and tokenization (which can display PANs with a key or token), one-way hashing is irreversible—meaning the PAN number can never be accessed from the hashed version. 

PAN Data Rules For PCI Compliance

PAN masking is part of PCI DSS requirement section 3. Merchants are allowed to store cardholder data—including PAN numbers, cardholder names, service codes, and expiration dates. 

However, all PAN data must be in an unreadable format when it’s stored. 

Only the first six digits and last four digits can be displayed, and only authorized people can have access to it. 

PCI DSS also advises merchants to delete all unnecessary data at least once per quarter. So if you’re storing PAN numbers (even if they’re masked or otherwise protected), but you don’t actually need them for any future purpose, they should be completely deleted.

Read More: 12 Requirements of PCI DSS Compliance