When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to be masked are:

The requirement to mask a Primary Account Number (PAN) when displayed to an employee who does not need to see the full number is fundamental to maintaining security within the PCI DSS framework. The correct choice states that all digits between the first six and the last four must be masked. This means that only the first six digits and the last four digits should be visible.

The rationale behind masking the digits between the first six and the last four relates to minimizing the exposure of account details that can be exploited in identity theft or fraud. By masking those middle digits, organizations significantly reduce the risk of unauthorized access to sensitive payment data while still allowing for some degree of identification to occur through the visible portions of the PAN.

This security control is crucial because it protects cardholder data in a way that complies with PCI DSS requirements, which mandate that sensitive card information is only disclosed when absolutely necessary. The option correctly aims to strike a balance between operational needs and security requirements.