The network discovery feature can use certain discovery protocols, such as SNMP, CDP, and I think a few others if defined with appropriate data and discover some devices, but not to the extent of all devices, mostly just network devices configured for discovery.
As far as I am aware, the sensitive data masks will prevent the data from appearing in the SIEM in a readable format, without the user having proper authorization. It basically uses a regex for a predefined format to find data, and hide it so it cannot be seen in the SIEM. It will not actively go out in the network and mask this data.
If you are searching for credit card specific information, you could potentially do a regex search against the ELM utilizing the regexes specified in the sensitive data masks section for credit card information, and see if it returns any data found matching the regex (presuming your PAN device is showing the data unencrypted and logging the data visibly via syslog) which I believe PAN uses syslog forwarding with support for TLS.
Hopefully that helps, or if you have any additional questions, feel free to reach out to me.
Great answer Ryan; and to add to the answer of searching for credit card information McAfee's Data Loss Prevention (DLP) is a great tool that i believe natively monitors and identifying such events.