Hi all,

Is there a specific procedure outlined in PCI-DSS for unmasking PANs when needed? I have been told that a log file needs to be kept, which lists the date the PAN(s) were unmasked, by whom, the reason, and when the PAN(s) were masked again. I am unsure however if this is simply the choice of our organization, or if it specifically required by PCI-DSS.

Along these same lines, is there a time limit given for how long a PAN can be unmasked? For instance, would a request by an employee to unmask, indefinitely (possibly for a few months), all PANs in our database in order to facilitate some work he is doing be a request that seems not only reasonable, but compliant as well? This person would be logging into this database with elevated permissions, so just he and few others would see the unmasked PANs. All other employees in user groups with fewer permissions would continue seeing masked PANs.

This request is greatly concerning me, and so I am gathering some information to take to our upper management.

Thanks.

Where there is a business need to retain the complete PAN, PANs need to be stored encrypted. Otherwise, the PAN should be masked (more correctly called truncation), permanently replacing at least digits 7 to 12.

Where PAN is needed, it is permissible that users and applications decrypt PAN as needed, provided there is a log of all user access to PAN data. Whatever else, the stored version of PAN needs to remain encrypted.

As long as PAN is only unencrypted in volatile application memory, this is acceptable, however RAM disks etc can be considered 'storage' as they can be read like a conventional disk.

lyalc