To have the endpoint send the match masked as you desire you would use the following setting configured in a System Policy applied to the endpoints:
By default, the entire match string is sent to the console. When sendMatch is disabled, this setting has no effect. To send only the last 4 characters (or all characters if the match string is 4 characters or less), set this value to Enable (1).
The setting you are referring to in the Console's>Admin>Application Settings screen will mask only the last four digits of a CCN.
To mask the existing matches in the database you can create a Purge Matches Service Tasks with the option you wish:
You also can assign Users of the Console to a Role that has a view permission of Masked as explained in the following linked article:
The Identity Finder Settings Viewer is a stand-alone reference tool that describes all of the settings available for the client applications: