I just recently wrote about the new version of the PCI DSS ( or the Payment Card Industry Data Security Services ) standard set to become effective in March 2024

I focused on the key changes that are upcoming and how companies can prepare themselves for the same

However, the core of PCI DSS has remained and always will be Requirement 3: Protect Cardholder data

This requirement details how customers should protect cardholder information wherever it is stored, processed, or transmitted.

I want to focus on this particular requirement and its meaning in this article.

In my experience of handling many PCI DSS audits, this is where many companies goof up when working with cardholder data.

PCI DSS is very clear about what you CAN and CAN NOT store, and not following requirement 3 can be the difference between a failed and a successful PCI audit

PCI DSS requirement 3 protects cardholder data whether it is displayed on screens, printouts, or stored in files, databases, etc.

It provides several ways of accomplishing this, which are listed below.

• Masking
• Truncation
• One Way hashing
• Tokenization
• Encryption

Let's take a look at each of them below.

Masking is a method of concealing a segment of a primary account number (PAN), which is the 16-digit card number; when displayed or printed (for example, on paper receipts, reports, or computer screens), and is used when there is no business need to view the entire PAN.

Even if you have full PAN stored in the system, you can use masking to conceal digits during display or printing ( Usually the first 6 and the last 4 digits can be shown )