Frequently Asked Question

PCI DSS Requirement 3.3 states that PAN must be masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see the full PAN.  This requirement covers all displays of PAN, including those on paper reports, computer screens and payment card receipts.

Requirement 3.3 also includes the following note: "This requirement does not supersede stricter requirements in place for displays of cardholder data " for example, legal or payment card brand requirements for point-of-sale (POS) receipts.  It should be noted that the maximum digits allowed per PCI DSS may be different than what is specified in existing regulations.  PCI DSS does not override laws, government regulations, or other legal requirements that govern what can be printed on receipts.  Entities are encouraged to contact their acquirer or the applicable payment brand to determine if any such regulations apply.

Also note that any paper receipts received and/or stored by merchants that contain PAN must adhere to applicable PCI DSS requirements, including Requirement 9 regarding physical security.