An old invoice shows your full 16-digit card number. Your accountant needs to verify the payment; nobody else in the chain needs the full PAN. Standard practice is to mask all but the last four digits.
Why card masking matters
Under PCI-DSS (Payment Card Industry Data Security Standard), the Primary Account Number (PAN) must be masked when displayed unless there's a legitimate need to see the full number. The standard masking is to show only the first six and last four digits.
For most receipts and invoices forwarded for verification, last-four is sufficient. Full PAN exposure can trigger PCI compliance issues if you're a merchant; for individuals, it's still a fraud risk you don't need to take.
How to redact in Flint
Open the PDF in Flint's redaction tool. Mark the middle digits of each card number. Save the redacted output. Verify by select-and-copy that nothing extractable remains in the redacted regions.
For multi-page statements showing card numbers in headers and transaction logs, redact every instance. CVV, expiration dates and cardholder names should also be redacted unless the recipient genuinely needs them.
Bulk statements
For monthly statements with hundreds of transactions, the card number usually appears once or twice (header) and the transaction lines reference it implicitly. Redact the header; transaction lines usually don't include full PAN.
For statements from POS providers (Stripe, Square), test before sharing — some include partial PAN in transaction detail; others don't include it at all.
FAQ
Is PCI-DSS compliance required for individuals?
No — PCI-DSS applies to merchants and processors. For individuals, masking card numbers is good practice but not a legal requirement.
Can I keep CVV in a forwarded document?
Never. CVV should never be stored or transmitted after authorisation. Redact aggressively.
What about gift cards and prepaid cards?
Same principle — they're funding instruments, mask all but last four if forwarded.
Does Flint detect card numbers automatically?
Manual marking is the default in the redaction tool. Automated PII detection can pre-flag candidates; always verify manually before release.
Last-four is enough for most verification. Redact the rest before any forwarding.