Why this matters
Partial display reduces exposure while supporting customer service workflows.
Render PAN only in truncated form (first 6 and last 4) and never expose full PAN, CVV, or expiration data together. Apply the masking helper at all presentation points including emails and PDFs. (PCI DSS 4.0 Req. 3.3)
Partial display reduces exposure while supporting customer service workflows.
Side-by-side examples engineers can pattern-match during review.
<?php echo $pan; // ❌ full PAN shown ?><?php function mask_pan($p){return substr($p,0,6).'******'.substr($p,-4);} echo mask_pan($pan); ?>echo $pan;echo mask_pan($pan);From the same buckets as this rule.
Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.
Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)