PCI Watch

PCI DSS requirement 3.3 requires that the PAN be masked when it is displayed (for example, on screens, logs, reports, receipts), unless the viewing party has a specific need to see the full card number. Business needs may exist to validate if the appropriate numbers were entered properly prior to completing the transaction (for example, for customer service representatives). To compensate for not masking the PAN on the screen for these types of transactions, controls such as Time To Live (TTL) or webpage “timeouts” should be deployed so that the screen does not display the card numbers indefinitely. Additionally, as should all websites that transmit cardholder data, the website which displays the PAN should be SSL enabled to ensure the data is secured as it is entered and validated.