[PCI DSS 3.0] [PCI DSS 3.0] 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to

pcinetwork

PCINetwork.org Admin
#1
3.3 Mask PAN when displayed (the first
six and last four digits are the maximum
number of digits to be displayed), such
that only personnel with a legitimate
business need can see the full PAN.
Note: This requirement does not
supersede stricter requirements in place
for displays of cardholder data—for
example, legal or payment card brand
requirements for point-of-sale (POS)
receipts.

3.3.a Examine written policies and procedures for masking the
display of PANs to verify:
 A list of roles that need access to displays of full PAN is
documented, together with a legitimate business need for
each role to have such access.
 PAN must be masked when displayed such that only
personnel with a legitimate business need can see the full
PAN.
 All other roles not specifically authorized to see the full PAN
must only see masked PANs.
3.3.b Examine system configurations to verify that full PAN is
only displayed for users/roles with a documented business
need, and that PAN is masked for all other requests.
3.3.c Examine displays of PAN (for example, on screen, on
paper receipts) to verify that PANs are masked when displaying
cardholder data, and that only those with a legitimate business
need are able to see full PAN.

The display of full PAN on items such as
computer screens, payment card receipts, faxes,
or paper reports can result in this data being
obtained by unauthorized individuals and used
fraudulently. Ensuring that full PAN is only
displayed for those with a legitimate business
need to see the full PAN minimizes the risk of
unauthorized persons gaining access to PAN
data.
This requirement relates to protection of PAN
displayed on screens, paper receipts, printouts,
etc., and is not to be confused with Requirement
3.4 for protection of PAN when stored in files,
databases, etc.
 
Top