I have a client who is currently changing their applications to mask Credit Card Numbers displayed on screens to comply with PCI DSS. Their approach is to substitute * for all digits except for the first 4 and last 3, no problems with that.

They are implementing this change on all screens that display multiple credit card numbers, however they are asking whether it is necessary to mask the credit card number on screens that only display one number at a time (eg, client transaction enquiry). Their argument is that lots of people have access to one credit card number at a time and the potential for compromise is reduced, so why do they need to change all their processing ?

I would appreciate advice on what other organisation have implemented, or what other QSA's would consider acceptable.

The PAN needs to be masked always.

I realize that it's only a one at a time situation, but 3.3 states that; "Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)." There is nothing in 3.3 or anywhere else in the Security Audit Procedures that says, "only when displayed in bulk."

So, regardless, the PAN must be masked whether listing one or multiple accounts.

There are very valid reasons when one has to see the unmasked card account number. e.g. the shop assistant sees it when you hand over the card in a store.

The PCI intent of masking in 3.3 is to limit the visibility of PANs where there is no business need to see the full PAN, yet the full PAN needs to be stored.

I believe the business process and different roles (level 1 customer support, level 2 support or whatever) needs to be reflected in the solution that is implemented.
Thus, certain roles may see the full PAN, while other roles never see the unmasked PAN.

Lyal