Currently in the vendor record card anyone can access the SSN field.
This field should be masked unless you are granted access.
The field should also be encrypted at the database level