I don't think there's a 'masking requirement' per se, but it's generally a good practice to mask SSN's.
