Comprehensive Guide to PCI DSS Masking Requirements for Cardholder Data

The Payment Card Industry Data Security Standards (PCI DSS) Requirements provide guidelines to protect cardholder data from exposure during card payment transactions. Organizations that process card payments must comply with the PCI DSS masking requirements to minimize breach risks to cardholder data. Read on to learn more.

 

What are the PCI DSS Masking Requirements for Cardholder Data?

Requirement 3 of the PCI DSS stipulates guidelines for protecting cardholder data (CHD) from exposure risks. Based on the PCI DSS masking requirements, organizations can safeguard CHD from cybersecurity threats and risks via:

• Encrypting CHD during processing 
• Masking CHD during storage 

Complying with the PCI DSS masking requirements helps minimize breach risks to CHD and strengthens overall PCI data security.

 

What is Cardholder Data?

Cardholder data (CHD) is any information found on a customer’s payment card. CHD is considered sensitive and personally identifiable information, requiring organizations to implement industry-standard protections to minimize any breach risks. 

Forms in which CHD is stored on payment cards include:

• Printed CHD on either side of the card
• Digital magnetic stripe storage on the back of the card
• Chip storage on the front side of the card

CHD elements printed on customer’s payment cards include:

• Primary account number (PAN)
• Cardholder name
• Expiration date
• Service code

Besides CHD, sensitive authentication data (SAD) is also stored on payment cards and includes:

• Full magnetic stripe data
• Verification codes (corresponding to card issuers), including:
  • Card Verification Value (CVV) for Visa and Discover cards
  • Card Security Code (CSC) for American Express cards
  • Card Validation Code (CVC) for Mastercard payment cards
  • Card Authentication Value (CAV) for JCB payment cards
• Personal identification number (PIN)

Protecting CHD and SAD elements is critical for compliance with PCI DSS masking requirements. While most merchants will store CHD in some capacity, SAD may only be stored by payment card issuers when necessary. Once a cardholder’s identity has been verified via SAD, merchants may not store it in any capacity—masked, encrypted, or otherwise.

 

Request a Free Consultation

 

Encryption of Cardholder Data 

Encrypting CHD elements at all stages of card payment processing reduces security gaps and vulnerabilities. Specifically, organizations can implement PCI DSS masking requirements to encrypt CHD during:

• Display (e.g., on receipts, reports, emails)
• Transmission (e.g., across merchants, third-party vendors)

Compliance with PCI DSS requirements for PAN masking can help strengthen your organization’s CHD security.

---

Download Our PCI DSS Checklist

---

PCI DSS Masking Requirements for CHD Display

Requirement 3.3 of the PCI DSS mandates organizations to mask PANs when they are displayed, ensuring:

• Truncated PAN cardholder data to display only a maximum of the first six and last four digits at any time
• Only personnel with a legitimate business need can access entire PANs

This requirement does not supersede stricter legal or payment card brand requirements for displaying PANs, especially PANs on point-of-sale receipts.

For instance, Visa provides strict recommendations for PCI DSS truncated pan, including:

• Masking PAN on cardholder receipts to ensure:
  • All but the last four digits of PANs are disguised
  • The full expiration date is concealed on copies of receipts issued at:
    • POS terminals 
    • ATMs
• Disguising PAN on merchant receipts issued at POS terminals to ensure:
  • Only a maximum of the first six and last four digits are displayed
  • The full expiration date is obscured

Your organization can reduce the risks of CHD breaches (whether on the customer or business end) by implementing the PCI DSS requirements for PAN masking.  

Requirement 4 and CHD Encryption

Under Requirement 4 of the PCI DSS, organizations must encrypt the transmission of CHD across open, public networks, the most common of which include:

• Internet
• Wireless technologies (e.g., 802.11, Bluetooth)
• Cellular technologies (e.g., Global System for Mobile communications (GSM))
• General Packet Radio Service (GPRS)
• Satellite communications

 

PCI DSS Masking Requirements for CHD Transmission

Specific PCI DSS masking requirements for CHD transmission include:

• Securing CHD transmission across unsecured networks via strong cryptographic tools and security protocols, including:
  • Trusted keys and certificates
  • Secure versions and configurations of protocols
  • Industry-standard encryption tools
• Ensuring the use of encrypted wireless networks to transmit CHD or host CHD environment (CDE)
• Avoiding the use of end-user messaging technologies (e.g., email, instant messaging) for sending unencrypted PANs
• Establishing and documenting organization-wide security policies for encrypting CHD during transmission

PCI DSS masking requirements help secure the transmission of CHD and protect its sensitivity and integrity.

 

PCI DSS Masking Requirements for CHD Storage

PCI DSS masking requirements also apply to any CHD that organizations store. However, PCI DSS Requirement 3 mandates that organizations minimize CH storage and retention. 

If CHD must be stored, organizations must establish processes for:

• Limiting amount and time of storage to that required for legal, business, or regulatory reasons
• Specifying retention requirements for CHD
• Securely deleting CHD when no longer needed
• Implementing quarterly identification and securely deletion of CHD stored past its defined retention time

 

Compliant SAD Disposal

While you can store CHD for defined durations, SAD must not be stored after authorization, even when encrypted. Specific requirements for SAD disposal include:

• After account authorization is complete, SAD must be deleted.
• SAD should not be recoverable once deleted.
• Card issuers can store SAD if:
  • Data is stored securely.
  • There is business justification and legitimacy. 

Additionally, organizations must avoid storing:

• The full contents of magnetic stripe or track data (or equivalent chip data), except data elements that may need to be retained, including:
  • Cardholder name
  • PAN
  • Expiration date
  • Service code
• Verification codes (i.e., CVV, CVC, CSC, CAV)
• PINs

Encryption Requirements for CHD Storage

When organizations must store CHD, PCI DSS masking requirements mandate that PAN be unreadable wherever it is stored. 

Specific encryption measures for masking PAN include:

• One-way hashing – Use of one-way functions, in which algorithms generate hash codes to convert PAN from a readable format into an unreadable one. 

• Truncation of PAN – Permanently deleting a segment of stored PAN makes the data unreadable and minimizes exposure risks. PCI DSS truncated PAN can be securely stored in physical or cloud storage (e.g., files, databases). When masking PAN using hashing and truncation, you must ensure:

• • • Hashed and truncated versions of PAN are not available in the same CDE
    • The co-existence of PCI DSS truncated PAN with hashed PAN in the same CDE is protected to prevent reconstruction of the original PAN

• Tokenization of PAN – Replacing PAN with a random, unique, and unpredictable value based on an index helps make the PANs less sensitive. Tokenization can be applied to segments of PANs or entire PANs.

• Cryptographic key management – Use of cryptographic keys, algorithms, and protocols to encrypt CHD must be effectively coordinated to ensure:
  • Separate storage of key-encrypting keys and data-encrypting keys
  • Secure storage and distribution of cryptographic keys
  • Availability of at least two full-length key components or shares, based on industry-accepted methods
  • Cryptographic key storage in the fewest possible locations
  • Changing cryptographic keys at the end of their crypto period
  • Replacement of keys with weakened or compromised integrity
  • Responsible custodianship of cryptographic keys to prevent unauthorized changes to the keys

Encrypting stored CHD based on PCI DSS masking requirements will help your organization minimize breach risks and protect the sensitivity of CHD. In addition, working with an experienced PCI compliance partner will help define, adhere to, and enforce best practices for securing CHD storage.

 

Optimize PCI DSS Masking Tools, Protect Cardholder Data

Protecting the sensitivity of CHD throughout all stages of card payment processing is critical to achieving PCI compliance. Implementing PCI DSS masking requirements for encryption and storage of CHD will help protect CHD and minimize cyber threat risks.

Contact RSI Security today to learn how your organization can optimize tools for masking cardholder data.