What Does it Mean to Mask a PAN? A Practical Guide

As a merchant, it simply makes sense to accept debit and credit card payments. The Federal Reserve System reports 157 billion card payments were made in 2021, the most recent year for which data is available.

Brick-and-mortar merchants generally want to give customers convenient payment options. Digital-first companies often need to accept credit and debit cards to complete sales.

However, some requirements come along with accepting credit and debit cards. There's plenty of sensitive information tied to payment cards, something you can't say about cash. That means security standards need to be followed to protect customers and ensure business compliance.

Masking the primary account number (PAN) of a credit card in certain situations is one such security standard. Keep reading to learn more about this process, from what a PAN is to what it means to mask a PAN.

Swipesum helps businesses find effective payment processing solutions for their unique needs. We take cost, functionality, security, and much more into account, presenting recommendations that align with your company's priorities.

Our independent payments consultants can help with negotiating merchant services fees and statement analysis, too. Best of all, it comes at no additional cost to your business. Schedule a free consultation today to optimize your approach to card payments.

What is a PAN?

Sometimes, it seems like payment processing is full of confusing acronyms and complex concepts. Fortunately, that's not the case when it comes to primary account numbers, or PANs.

The PAN is simply the account number displayed on and tied to a specific credit or debit card. It's also known as a payment card number or, more casually, a card number. It's generally 16 digits but can be as short as 14 or as long as 19 numbers, Investopedia explains.

The combination of numbers in each PAN identifies:

• The specific credit card company associated with the card or its industry.
• The specific bank or other institution that issued the card.
• The unique, individual account tied to the card.

The PAN is unique to each card. It's a primary way of distinguishing a specific card and account from the many others issued by the same institution. Think about making a purchase online with a card. The PAN is one of the key pieces of information needed to complete the transaction.

The Balance points out that the account number of a payment card is distinct from the PAN. In other words, the account number assigned by the card issuer — seen when viewing a monthly statement, for example — is different from the PAN. These numbers are connected but not the same.

PANs were traditionally embossed on the front of a card. However, some newer cards include the PAN on the back instead of the front.

What Does it Mean to Mask a PAN?

In the simplest terms, masking a PAN means protecting it from anyone who doesn't have a legitimate reason to see it. PAN masking helps to reduce the potential for illicit use of a customer's card information.

The masking process itself involves substituting generic characters in place of the specific numbers in a PAN. These often appear as dots or bullet points. An "X" character may also be used as a substitute.

PANs are unique numbers, which make them sensitive — and potentially valuable to cybercriminals and other malicious actors. With a PAN and other information, like the card verification value (CVV), it's possible for an unauthorized user to make a purchase without the cardholder's knowledge.

That makes protecting PANs a priority in terms of card security. In the world of card payments, the Payment Card Industry Data Security Standard (PCI DSS) sets rules for protecting such information.

Compliance specialist firm RSI Security explains that keeping a PAN masked helps to reduce the potential for a data breach. Specifically, PCI DSS Requirement 3.3 mandates that PANs are masked when displayed.

That includes limiting the number of digits shown to the first six and last four on the card.

Additionally, businesses have an overall duty to limit access to the full PAN to staff with a legitimate reason to view them.

Credit card networks also often have their own standards, which may be more rigorous than PCI DSS requirements. It's crucial to be aware of and align with all relevant security requirements related to PANs.

PAN masking requirements extend across physical and digital display and storage. In general, protecting this data and limiting access is a smart move.

That's true in terms of compliance and maintaining positive relationships with clients as well. Data breaches involving PANs can lead to regulatory consequences as well as a negative reputation among customers.

PAN Masking vs. PAN Truncating

PANs can also be truncated, which is a similar practice used for similar reasons. However, it is distinct from PAN masking. Truncating a PAN involves deleting or otherwise removing part of the PAN instead of masking it with alternative characters.

Navigating Payments With an Expert Partner

PAN masking and broader PCI-DSS compliance are incredibly important for every business that accepts credit and debit cards. The good news is that a range of merchant service providers can offer compliance support as well as the tools needed to process card payments.

Swipesum is here to help your business find the right combination of service, support, and price for your payment processing needs. Our independent consultants take your needs into account to create a carefully tailored list of recommendations. They'll take the lead in negotiations, too, helping you find the right solution without excessive costs.

Want to change payment processing at your business for the better? Book your free consultation to get started.