Frequently Asked Questions

< Back to search page

What is the difference between masking and truncation?

FAQ Response

Masking is addressed in PCI DSS Requirement 3.3, whereas truncation is one of several options specified to meet PCI DSS Requirement 3.4.

Masking is a method of concealing a segment of PAN when displayed or printed (for example, on paper receipts, reports, or computer screens), and is used when there is no business need to view the entire PAN.

Truncation is a method of rendering a full PAN unreadable by permanently removing a segment of PAN data, and applies to PANs that are electronically stored (for example, in files, databases, etc.). For further guidance on truncation formats, please refer to the FAQ “What are acceptable formats for truncation of primary account numbers”.

Note that even if a PAN is masked when displayed, the full PAN might still be electronically stored and would need to be protected in accordance with PCI DSS Requirement 3.4.

Entities should also be aware of any stricter requirements that may apply to displays of cardholder data, such as specific Payment Brand regulations and regulatory or legislative requirements —for example, restrictions for data displayed on point-of-sale (POS) receipts. PCI DSS does not supersede local or regional laws or other legislative requirements. 
 

May 2014
Article Number 1146