The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
Cardholder Data (CHD) Protection Requirements
PCI DSS Requirement 3 mandates strict protection for stored cardholder data. Under these rules:
- Primary Account Numbers (PAN): The 16-digit card number must be masked when displayed. Only the first six and last four digits can be visible, unless there is a documented business need to see the full number.
- Sensitive Authentication Data (SAD): Full magnetic stripe data, CVV numbers, and PIN codes must never be stored after card authorization, even in encrypted form.
Implementing Masking and Bounding Box Redaction
When billing support agents troubleshoot payment gateway issues, card numbers often leak into logs or invoice screenshots. Developers should utilize regular expressions to automatically mask card numbers inside database fields and apply visual blackout redaction tools to payment receipts before sharing them externally.