Why Redacting Sensitive Data is Necessary for PCI Compliance

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI-DSS) is a standard established and maintained by the credit card industry for their merchants. It defines a set of 12 key requirements, along with 78 base requirements and 400 test procedures.

Any company that accepts credit card payments online must implement the PCS-DSS standard for the storing and handling of credit card data. Some of the requirements include:

• Implementing and maintaining proper overall security, such as creating a firewall, implementing proper password protection, and installing anti-virus software
• Encrypting credit card data both at rest (i.e., when stored in a database) and in transit (i.e., being sent over the Internet)
• Restricting both physical and virtual access to sensitive customer data

Specifically, PCI-DSS requirement three directs companies on how to handle storing credit card data. Requirement 3.1 specifies that companies must remove cardholder data that has exceeded its retention period. And requirement 3.3 specifies that the card number should never be displayed openly but should always be masked, or redacted.

The costs of ignoring PCI compliance

PCI-DSS isn't a law. However, credit card companies can - and do- pass on fines to their merchants for non-compliance.

Merchants can assess two types of fines. The first is a monthly fine for non-compliance. This can start between USD $5,000 to $10,000 a month for the first 1-3 months. If a company remains noncompliant for 7 or more months, fines can rise to between $50,000 and $100,000.

However, merchants can assess even stiffer penalties if customer credit card data is exposed. Fines for exposure are around $50 to $90 per data breach.

That "small" fine can add up quickly. In 2013, Target failed to heed warnings from its malware detection software. They lost 40 million customer records in the resulting data breach.

Businesses can suffer additional penalties at the local and national levels as well. In the United States, while PCI compliance isn't law, the Federal Trade Commission (FTC) can enforce it through court precedent.

How redaction helps with PCI compliance

PCI-DSS requires that all customer credit card data be stored and transmitted securely. Businesses can start on the road to compliance by implementing the PCI-DSS standards.

However, it's not enough to implement secure credit card storage and transmission. Sensitive data can also leak via your company's business applications.

Let's look at two cases where unredacted data sent via email, chat, or other business productivity apps can threaten your company's PCI compliance.

PCI-DSS section 3.4.1 is clear: PAN is masked when displayed

The display of full PAN on computer screens, paymentcard receipts, paper reports, etc. can result in this databeing obtained by unauthorized individuals and used fraudulently

This means you're on the hook for PCI Compliance even if you don't store credit card data directly. (For example, you use a third-party processor such as Stripe.) If you handle credit card data in any way, shape, or form, you're responsible for securing it across all of your business's tools and processes.

Unfortunately, people sometimes take shortcuts that bypass secure storage systems. For example, users may send their credit card information directly to you via e-mail. Or they may paste it into a Slack chat.

This represents a double threat to the user's security. First, they may expose their information to someone at your company who's not authorized to access credit card data. Such insider threats are as serious a risk to your company and customers as external hackers.

You can eliminate this risk by redacting information as soon as a user attempts to type it. For example, you can set up redaction on communication channels like Slack to detect the presence of credit card information and immediately replace it with redacted values.

Strac DLP protects customer with PCI compliance by redacting credit card information immediately.

PCI DSS 4.0 – Requirement 4.2.2: Protecting PAN in End-User Messaging Technologies

Requirement 4.2.2 of PCI DSS 4.0 mandates that Primary Account Number (PAN) must be protected using strong cryptography whenever it is transmitted via end-user messaging technologies. This includes common communication platforms such as email, SMS, Slack, Microsoft Teams, Zoom chat, and other collaboration tools.

The challenge? These platforms were never designed to handle cardholder data securely — and yet, in real-world scenarios, PAN often ends up being copied, pasted, or forwarded by employees trying to resolve support issues, communicate with vendors, or assist customers.

✨ How Strac Helps Enforce PCI 4.2.2

Strac solves this compliance challenge by providing real-time data loss prevention (DLP) and automated redaction across end-user messaging systems. This includes:

• Emails (Gmail, Outlook / O365): Automatically redacts PAN from message body and attachments.
• Slack / Microsoft Teams: Scans messages and files in real-time to detect and remove PAN.
• Customer support platforms (Zendesk, Intercom, etc.): Redacts PAN when agents or customers paste sensitive information into tickets or chats.
• AI tools (ChatGPT, Copilot, Claude): Blocks or alerts when PAN is pasted into prompts, protecting against GenAI data leaks.

By doing so, Strac provides organizations with a practical alternative to strong encryption — preventing unencrypted PAN from ever being transmitted in the first place.

Organizations can demonstrate to PCI auditors and QSAs that they are actively mitigating the risk of PAN exposure across modern messaging platforms, which are often overlooked but represent a high-risk vector.

✅ Strac helps you enforce PCI DSS 4.2.2 across all your SaaS and collaboration apps — without requiring workflow disruption or manual review.

‍

PCI DSS 4.0: 12.5 Requirement: A Request for Action for Comprehensive Discovery

The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 emphasizes the importance of thorough data discovery methods. Under Section 12.5.2 of PCI 4.0, it is compulsory for organizations to pinpoint every area where account data is kept, handled, and sent. This directive is not merely a recommendation; it's an essential compliance obligation that goes beyond the Cardholder Data Environment (CDE) to include applications, system transmissions, and file backups.

Automate redaction for PCI compliance - Video

Strac is a Data Loss Prevention (DLP) company that automates redaction of sensitive data like credit card data, cvv, credentials, and other personally identifiable information (PII) across a growing suite of applications. Strac redacts PCI data in email body and attachment for Microsoft Office 365, Gmail. Also in customer support apps like Zendesk, Salesforce, HubSpot, Intercom. Also in Slack, and bunch of SaaS, Cloud apps and Endpoint. See all Integrations.

Book a demo to see it in action today! Also, please read more about Card Data Discovery tool

Any questions?

If you have any questions or want to learn how Strac can help you comply with PCI-DSS, please book a meeting with us.

‍