Business sensitive data (passwords, credit card numbers, CVV, etc.) must be masked.
Applications usually handle personal information, such as credit card numbers, CVV, personal identifications, social security numbers, etc. The exposure of this data could severely affect their owners and so it must be considered sensitive and be specifically protected. Masking is a mechanism that contributes to this protection.
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor: The product does not properly prevent a person's private, personal information from being accessed by actors who either are not explicitly authorized to access the information or do not have the implicit consent of the person about whom the information is collected.
Directive 2002 58 EC (amended by E-privacy Directive 2009 136 EC). Art. 4: Security of processing.(1a): The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.
GDPR. Recital 51: Protecting sensitive personal data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
ISO 27001:2013. Annex A - 18.1.3: Protect records against loss, destruction, forgery, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.
OWASP Top 10 A3:2017-Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
PCI DSS v3.2.1 - Requirement 3.3: Mask PAN (Primary Account Number) when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.