If you display 4 digits to the user for CC validation, as basically everyone does, then there will always be someone who can read those 4 digits and give them to someone else.
You don't need to display them to the user. The user can ask for them from the customer. The user types in the 4 digits the customer provides. The computer compares the two strings. The user need never see the real stored digits.