This article is about the common ways merchants and service providers protect their customers’ cardholder data. If you’re new to the world of cardholder data security, there are a few acronyms that might get in your way, so let’s define them.
First, PCI. This is shorthand for the security standard that protects cardholder data. You might also see PCI DSS, which is a real mouthful when you spell out all the words: Payment Card Industry Data Security Standard. The last one for now is PAN. PAN stands for primary account number and refers to the numbers listed across the front of your credit card. PAN is important to this conversation because truncation, encryption, and masking are used to protect PAN.
Which brings us to the meat of the article…
Based on the number of questions I get about them, truncation, encryption, and masking are the lions and tigers and bears of the PCI world. I get it! These terms were confusing to me at first, too. A lot of this confusion comes because people tend to use these words incorrectly, so this article is intended to explain what each word means, and how they are different.
Let’s start with masking because it offers the least amount of protection to PAN. When you mask PAN, the full number is still there. It just isn’t being displayed.
You’re probably familiar with how masking works because there are a lot of websites that ask you for your password and hide the characters as you type them. But they have a little eyeball icon you can click on to show you what you just typed just to make sure you didn’t fat finger something before hitting the submit button and locking yourself out. So, the password is there in the field, it’s accessible, but you can’t see it because it’s masked unless you unmask it.
Masked PAN works the same way. Let’s say you want to pay a bill, but you need a little extra help, so you make a call. A customer service agent in a call center will likely pick up your call and ask for your credit card number. As you give them the number, the PAN they type in typically gets masked as they type it, then completely disappears after they hit submit in their payment system.
Masking helps prevent PAN from being stolen by shoulder surfers or through video cameras. It doesn’t prevent malicious actors who are in your network from stealing and using PAN because masking is something that happens at the display level — it covers up visible information. It doesn’t change anything about the PAN on the underlying data level.
Think of the difference between the display level and the data level like this — if you get sent a picture of a candy bar, you can see it, but you can’t eat it. The picture is the display level, and the candy bar is the data level.
It’s worth talking about another way masking is used because this second way is what confuses a lot of people when asked the question, “Is it masked or is it truncated?” More about the confusion later — first the masking technique.
There are some businesses that need to have your full PAN stored. Not many can justify that need, but a fraud service might be one of them. So, let’s say you notice a sketchy charge and call the number on the back of your card. The customer service agent will access a system that probably has your full PAN stored, but the system will likely only display to the agent a portion of that number — maybe just the last four digits.
Masking in this case means the agent doesn’t have access to full PAN, so they can’t write down your number and use it to buy shoes after you hang up. Again, the full PAN exists in the system, but only part of it is displayed.
Encryption is a way of making PAN unreadable even if you have access to the data. Encryption is a technique that uses math to scramble up the numbers so they can’t be read unless you have the decryption key.
We could get into a lot of nerdy math at this point, but to make the concept more comprehensible, let’s go back to the candy bar. If you put the candy bar into a locked box, someone could steal that box and they would technically also steal the candy bar, but they couldn’t eat it because they couldn’t get to it without the key.
Encrypted PAN is like that. When you encrypt data, it’s still protected even if the bad guys steal it, because they can’t get past the encryption to use the data.
Truncation means cutting something off. It’s not a word we use as much as we did a hundred years ago. Today we wouldn’t say an athlete’s career was truncated because of an injury, we’d say it was cut short.
It’s the cutting part that’s important because truncating PAN means part of it was permanently removed. If enough of the PAN is removed during truncation, the full PAN can’t be reconstructed, even if you have a lot of time to make guesses about the missing pieces. (I recommend truncating all but the last four digits.)
The great thing about truncated PAN is that it isn’t considered PAN anymore if you do it right, so you don’t have to put all the security controls in place to protect it. This saves you time and money.
In sweet snacking terms, when you truncate, that candy bar was eaten and all you’re left with is the wrapper.
Confusing truncation with masking
The potential for taking PAN out of scope by truncating it is a key concept because if you’re trying to be PCI compliant (more importantly, if you’re trying to increase your security stance), and you tell your assessor that the PAN in your database is truncated, they aren’t going to look at any of the security controls around storage.
But what if you say it’s truncated PAN but it’s really masked PAN, and you only think it’s truncated because you can’t see all the numbers? That data is vulnerable to theft and fraud because it likely isn’t protected.
On the other hand, what if you call it masked PAN when it’s truncated? Then you’re pouring a lot of time and money into protecting data that is of no value to attackers and can’t cause either you or your customers damage if breached.
And another thing…
Quick note on how PAN relates to cardholder data (CHD). Most of the PCI QSAs I know talk about CHD a lot more than they talk about PAN, so you might have heard the term. CHD is what you get when you combine PAN with personally identifiable information (PII) such as the cardholder’s full name, or sensitive information such as the code printed on the card that you must enter when making most online purchases.
I hope this helps clarify the difference between truncation, encryption, and masking! Let me know if you have questions you’d like covered.