Frequently Asked Questions

< Back to search page

Can the full credit card number be displayed within a browser window?

FAQ Response

PCI DSS requirement 3.3 requires that the PAN be masked when it is displayed (for example, on screens, logs, reports, receipts), unless the viewing party has a specific business need to see the full card number. Business needs may exist to validate if the appropriate numbers were entered properly prior to completing the transaction (for example, for customers and customer service representatives).

Wherever PAN is accessed or displayed, other controls such as Time To Live (TTL) or webpage "timeouts" should be deployed in accordance with PCI DSS Requirement 8.1.8, so that the screen does not display the card numbers indefinitely. Additionally, as with all systems that transmit cardholder data over a public network, the website which displays the PAN should have strong encryption enabled to ensure the data is secured as it is entered and validated.

(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)

May 2014
Article Number 1071

Related Articles

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are acceptable formats for truncation of primary account numbers?

What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant’s PCI DSS assessment?

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?