What is the difference between masking and truncation?
Masking is addressed in PCI DSS Requirement 3.3, whereas truncation is one of several options specified to meet PCI DSS Requirement 3.4. Masking and truncation are both methods of rendering the full PAN unreadable by removing or replacing a segment of the full PAN. Masking is a method of concealing a segment of PAN when displayed or printed (for example, on paper receipts, reports, or computer screens), and is used when there is no business need to view the entire PAN.
Truncation is a method of rendering a full PAN unreadable by permanently removing a segment of PAN data, and applies to PANs that are electronically stored (for example, in files, databases, etc.). For further guidance on truncation formats, please refer to FAQ 12245.
Note that even if a PAN is masked when displayed, the full PAN might still be electronically stored and would need to be protected in accordance with PCI DSS Requirement 3.4.
Entities should also be aware of any stricter requirements that may apply to displays of cardholder data, such as specific Payment Brand regulations and regulatory or legislative requirements ?for example, restrictions for data displayed on point-of-sale (POS) receipts. PCI DSS does not supersede local or regional laws or other legislative requirements.