tls – PCI & e-banking sensitive information tokenization/encryption/obfuscation – Which fields require to be secured?

According to PCI standard all businesses that store, process or transmit payment cardholder data must be PCI Compliant.

Taking into account that we are talking about a bank, fields like card number and card holder’s name should be obfuscated when displayed on the screen.

  • What about the URL? Is it acceptable to have a request like https://myBank.com/cards/012345678901234/payment-third-party where the card number appears as a path variable?
  • What about the case the card number appears on the request payload {cardNumber: "012345678901234"}. What about the Network Tab (F12), is it acceptable for the fields to appear raw there, while they appear obfuscated on the screen?
  • Regardless of the PCI standard, should the e-mail, tax id, physical addresses appear raw on screen? For security reasons, since this is sensitive information, they should be at least obfuscated. What about the Network Tab (F12)? Is it for the fields to appear there raw?
  • Are there any other regulations for banks, or security “tips”?

Thank you a lot in advance.