diff --git a/benefits/core/admin.py b/benefits/core/admin.py
index ed707c8f7..7ab0602be 100644
--- a/benefits/core/admin.py
+++ b/benefits/core/admin.py
@@ -18,7 +18,15 @@
 STAFF_GROUP_NAME = "Cal-ITP"
 
 logger.debug("Register models with admin site")
-admin.site.register(models.PemData)
+
+
+@admin.register(models.PemData)
+class PemDataAdmin(admin.ModelAdmin):  # pragma: no cover
+    def get_exclude(self, request, obj=None):
+        if not request.user.is_superuser:
+            return ["text_secret_name"]
+        else:
+            return super().get_exclude(request, obj)
 
 
 @admin.register(models.AuthProvider)
diff --git a/benefits/core/migrations/0014_staff_group_view_permissions.py b/benefits/core/migrations/0014_staff_group_view_permissions.py
index 384108372..6802f3728 100644
--- a/benefits/core/migrations/0014_staff_group_view_permissions.py
+++ b/benefits/core/migrations/0014_staff_group_view_permissions.py
@@ -15,6 +15,7 @@ def add_view_permissions(apps, schema_editor):
 
     Permission = apps.get_model("auth", "Permission")
     permission_names = [
+        "Can view pem data",
         "Can view auth provider",
         "Can view eligibility type",
         "Can view eligibility verifier",